Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In CRYPTO '91, volume 576 of LNCS, pages 457--469. 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... of various schemes, based mainly on existing cryptosystems, where the power to eval uate the cryptographic function is shared amongst a set of participants such that only certain (authorized) sets can correctly evaluate the function, an example being the shared generation of RSA signatures [17]. However, such schemes are gener ally concerned with allowing authorized sets of participants to jointly evaluate the function whilst preventing unauthorized sets from doing so, and do not address the situation where a set of participants conspire to prevent a correct evaluation of the function ....

....variant. The first part concentrates on threshold variant [15] of the E1Gamal public key cryptosystem [20] and uses the zero knowledge proof of equality of discrete logs of Chaum [9] to construct a verifiable version of the same scheme. The second part concentrates on a threshold variant [16, 17] of RSA [39] and uses a generalization to to construct verifiable variants of the threshold RSA scheme under consideration. The third part concentrates on a different threshold variant [16] of RSA which has the property of being provably as secure as RSA, and also uses the generalization to ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signa- tures. In J. Feigenbaum, editor, Advances in Cryptology - Crypro '91 (Lecture Notes in Computer Science 576), pages 457-469. Springer-Verlag, 1992.

....schemes (e.g. 16, 11] both parties of the system (the signer and the verifier) are individuals. The invention of society and group oriented cryptography [7] led to the generation and or verification of digital signatures by a group of participants rather than individuals (see, for example, [4, 8, 14, 19]) In almost all of these digital signature schemes, the generation verification of a signature requires the performance of some exponentiation. Since exponentiation is a costly operation, the design of efficient digital signature schemes (from both the generation and verification points of view) ....

Y. Desmedt and Y. Frankel, "Shared generation of authenticators and signatures," in Advances in Cryptology - Proceedings of CRYPTO '91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Science, pp. 457--469, Springer-Verlag, 1992.

....variant of the problem. A relaxed notion of computationally secure secret sharing has been considered in [44, 6] Originallymotivated by the problem of secure information storage, secret sharing schemes have found numerous other applications in cryptography and distributed computing (cf. [47, 10, 24, 26, 29]) However, secret sharing is independentlyinterestingas a pure complexity question. The default complexitymeasure of secret sharing schemes is their share size, i.e. the total length of all shares distributed by the dealer. This is a measure of the amount of communication (or storage) required ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology -- CRYPTO '91, volume 576 of Lecture Notes in Computer Science, pages 457--469. Springer-Verlag, 1992.

....key shares because of the need of different sharings and the use of protocols to reconstruct the bad signature shares in the presence of active (malicious) players. In [16] the authors proposed the first proven scheme based on polynomial sharing, which is based on Desmedt and Frankel s scheme [13]. However in the case of active adversaries, which are allowed to send bad shares, the protocol has to be rewind at most t times, to remove the bad servers as the signature shares depend on the subgroup of t 1 servers enabling the reconstruction of the signature. Let Delta = The shares of d ....

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signature. In Crypto '91, LNCS 576, pages 457--469. Springer-Verlag, 1991.

....Related work. The first general notion of e#cient threshold cryptography was introduced by Desmedt [Des87] It started many studies on threshold computation models and concrete threshold schemes based on the basic schemes, such as RSA, DSA, ElGamal, etc [CMI93, GJKR96b, CGJ JL00, Jar01, DF91, GJKR96a, Rab98, FMY99, Sho00, DK01] These protocols develop many techniques for designing secure threshold protocols. We use some of them and develop new ones for our schemes. There are two types of forward signature schemes. The first type is a general construction based on arbitrary ....

Yvo Desmedt and Yair Frankel. Shared generation of authenticators and signatures. In Proceedings of Advances in Cryptology - CRYPTO '91, volume 576 of LNCS, pages 457--469. SpringerVerlag, 1991.

....is in the random oracle model only because the latter is used in the proof of security of the base signature scheme. We also show how proactive security can be added to our scheme using general methods of [HJKY, HJJKY] Related work. There exist many threshold signature scheme constructions, i.e. [DF89, H, DF91, FD, FGMY, R, GJKR96, Sh]. The proposals of [DF89, H] lack security proofs, the schemes of [DF89, DF91, FD] are non robust while those of [FGMY, R] are robust and proactive but require a lot of interaction. We compare our scheme with the threshold DSS signature scheme of Gennaro et al. GJKR96] and with the threshold RSA ....

....scheme. We also show how proactive security can be added to our scheme using general methods of [HJKY, HJJKY] Related work. There exist many threshold signature scheme constructions, i.e. DF89, H, DF91, FD, FGMY, R, GJKR96, Sh] The proposals of [DF89, H] lack security proofs, the schemes of [DF89, DF91, FD] are non robust while those of [FGMY, R] are robust and proactive but require a lot of interaction. We compare our scheme with the threshold DSS signature scheme of Gennaro et al. GJKR96] and with the threshold RSA scheme of Shoup [Sh] The threshold DSS signature proposed in [GJKR96] is robust, ....

Y. Desmedt and Y. Frankel, \Shared generation of authenticators and signatures," Advances in Cryptology { Crypto '91, LNCS Vol. 576, J. Feigenbaum ed., Springer-Verlag, 1991. 14

....an attacker floods the receiver with bogus packets supposedly containing a signature. Since signature verification is often computationally expensive, the receiver is overwhelmed verifying bogus signatures. Researchers proposed information theoretically secure broadcast authentication mechanisms [10, 11, 12, 13, 20, 34, 35, 36]. These protocols have a high overhead in large groups with many receivers. Canetti et al. construct a broadcast authentication protocol based on k different keys to authenticate every message with k different MAC s [7] Every receiver knows m keys and can hence verify m MAC s. The keys are ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In Advances in Cryptology --- CRYPTO '91, volume 576 of Lecture Notes in Computer Science, pages 457--469, 1992.

....The share computations are performed individually by the leaders. The share validity checks and 4 group key construction are performed individually by group members. This protocol is related to verifiable secret sharing [6, 11, 19] and, more closely, to to threshold signature schemes [7, 14, 23]. The secrecy properties of the protocol rely on the hardness of computing discrete logarithms in a group of large prime order. Such a group G can be constructed by selecting two large prime numbers p and q such that p = 2q 1 and defining G as the unique subgroup of order q in Z p . The ....

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signatures. In Advances in Cryptology -- CRYPTO'91, volume 576 of Lecture Notes in Computer Science, pages 457--469. Springer-Verlag, 1991.

....who computes ks i2B g ks i , and decrypts (using the multiplicative inverse y ) the cryptogram m j my Theta y mod p: Group decryption can also be based on a combination of the RSA cryptosystem [70] and Shamir s threshold scheme. The scheme described by Desmedt and Frankel [36] works as follows. The dealer D computes the modulus N = pq, where p, q are strong primes, that is, p = 2p 1 and q = 2q 1 (where p and q are large and distinct primes) The dealer selects at random an integer e such that e and (N) are coprime ( N) is the least common multiple of ....

....Constructions The earliest proposals for shared generation schemes are by Itakura [51] and by Boyd [16] Boyd s scheme is a (n; n) threshold group signature based on RSA, in which if n 2, most participants must blindly sign the message. 0. 45.3 f Threshold RSA signature Desmedt and Frankel [36] construct a simultaneous threshold (t; n) RSA signature which requires a trusted third party to generate and distribute the group public key and the secret keys of the signers. Their scheme works as follows. In the initialization stage, a trusted KDC (dealer) selects at random a polynomial of ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel, "Shared generation of authenticators and signatures," in Advances in Cryptology - Proceedings of CRYPTO '91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Science, pp. 457-469, Springer-Verlag, 1992.

....once issued. Malkin et al. 21] show that it may take 1.5 mins to 5 mins on average to generate a shared public key between three servers but it takes these servers only between 1. 2 s to 2 s to apply a joint signature) Though the idea of shared public keys has also been discussed by others [9, 24], we use the algorithm of Boneh and Franklin [8] because it allows for the generation of the shared public key without a trusted server. The ability to generate the shared public key without a trusted server outside the coalition is of essence as discussed in Section 2.1 (Requirement II) 3.2. ....

Y.Desmedt and Y. Frankel, "Shared Generation of Authenticators and Signatures", Advances in Cryptology - Crypto '91, Springer-Verlag LNCS 576, 457-469, 1992.

....is one service private public key pair. It is used for signing responses and certificates. All clients and servers know the service public key. The service private key is held by no COCA server. Instead, di#erent shares of the key are stored on each of the servers, and threshold cryptography [22, 23, 20, 21, 31] is used to construct signatures on responses and certificates. To sign a message: 1) each COCA server generates a partial signature from the message and that server s share of the service private key; 2) some COCA server combines these partial signatures and obtains the signed message. 3 ....

....the network can invalidate these assumptions and cause the e vault protocols to fail. Like with COCA, clients of e vault communicate with the system through a single server (there called a gateway) Cryptographic Building Blocks and Public Key Infrastructure. COCA employs threshold cryptography [22, 23, 20, 21, 31] and proactive secret sharing [45, 43, 42, 30, 29] as building blocks. Because existing protocols were not intended for systems in which (only) our Fair Links and Asynchrony assumptions hold, it was necessary to design new protocols for COCA [86, 85] Implementations of threshold cryptography and ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures (Extended Abstracts). In J. Feigenbaum, editor, Advances in Cryptology---Crypto'91, the 11th Annual International Cryptology Conference, Santa Barbara, CA USA, August 11--15,

....security is not compromised as long as there are less than K collaborative intruders in each adversary group. To further resist intrusions over long term, we periodically (for example once every several hours) update the secret shares for all entities. The concepts of threshold secret sharing [14, 2, 4, 12, 15] and secret share updates [7, 5] are not new, and have been studied in the cryptography context. However, these proposals assume limited number of secret share holders, and are not scalable to network size. They typically involve excessive communication overhead, and assume a richlyconnected ....

....interpolation, SK is recovered from the sum d = P K j=1 SK j mod n) Instead of revealing the private exponent d to the coalition, a better security scheme is employed to accomplish certification services without constructing an explicit d. The corner stone of the multi signature protocol [2, 4, 12, 15] is the following arithmetic formula: X SK1 DeltaX SK2 Delta Delta Delta Delta DeltaX SKK = X SK1 SK2 Delta Delta Delta SK K : In this scheme each member provides a partial certificate X SK j rather than revealing its private SK j (Figure 3) 1 Lagrange coefficient in the ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signatures (Extended Abstract). In CRYPTO, pages 457--469, 1991.

....of authenticators Many applications require the power to generate an authentic message and or to verify the authenticity of a message to be be distributed among a number of principals. An example of such a situation is multiple signatures in a bank account or court room. Desmedt and Frankel [25] introduced systems with shared generation of authenticators (SGA systems) which have been studied in recent papers by: Safavi Naini [64] Gehrmann, van Dijk and Smeets, 29] and Safavi Naini and Martin [65] In such systems there is a group P of transmitters created with an structure Gamma ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. Proc. Crypto'91, LNCS, Vol. 576, Springer-Verlag, Berlin, 1992, pp. 457-469.

....private public key pair. It is used for signing responses and certi cates. All clients and servers know the service public key. The service private key is held by no COCA server, for obvious reasons. Instead, di erent shares of the key are stored on each of the servers, and threshold cryptography [16, 17, 14, 15, 24] is used to construct signatures on responses and certi cates. To sign a message: 1) each COCA server generates a partial signature from the message and that server s share of the service private key; 2) some COCA server combines these partial signatures and obtains the signed message. 4 ....

....masking Byzantine quorum system can tolerate compromise of as many as one fourth of servers. Recall, a dissemination quorum system tolerates one third of its servers being compromised. 37 single server (there called a gateway) Cryptographic Building Blocks. COCA employs threshold cryptography [16, 17, 14, 15, 24] and proactive secret sharing [38, 36, 35, 23, 22] as building blocks. Because this prior work was not intended for systems in which (only) our Fair Links and Asynchrony assumptions hold, it was necessary to design new protocols for COCA [78, 77] Implementations of threshold cryptography and ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures (Extended Abstracts). In J. Feigenbaum, editor, Advances in CryptologyCrypto'91, the 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1115,

....is responsible for all the machines covered by that MIB. Worse yet, the private key for this MIB is replicated on all those machines, making it fairly easy for an adversary to obtain it. There are at least two approaches to addressing this problem. The first is to use a threshold signature scheme [6], requiring a quorum of machines to sign MIBs. Although this may be the preferred solution in the long run, it requires some limited form of agreement, and we feel that the technology is not quite ripe for this approach. The second approach, and the one we have currently taken, is to simply not ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology---CRYPTO'91 Proceedings, volume 576 of Lecture Notes on Computer Science, pages 457--469. SpringerVerlag, Aug. 1992.

....at any point during execution of the protocol. A long line of research has focused on threshold cryptography, with particular emphasis on threshold signature schemes (in many cases, deriving a threshold decryption scheme from a related signature scheme is easy) The approach was initiated by [14, 15, 16], and the first provably secure schemes for RSA and DSS and other discrete log based signatures were given in [13, 27, 32] Subsequent work focused on adding robustness to existing schemes [21, 28, 29] and on threshold decryption schemes with security against chosen ciphertext attacks [44, 7, ....

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signatures. Crypto '91.

....security is not compromised as long as there are less than # collaborative intruders in each adversary group. To further resist intrusions over long term, we periodically (for example once every several hours) update the secret shares for all entities. The concepts of threshold secret sharing [14, 2, 4, 12, 15] and secret share updates [7, 5] are not new, and have been studied in the cryptography context. However, these proposals assume limited number of secret share holders, and are not scalable to network size. They typically involve excessive communication overhead, and assume a richlyconnected ....

....interpolation, ## is recovered from the sum # ## # # ### ## # mod ##. Instead of revealing the private exponent # to the coalition, a better security scheme is employed to accomplish certification services without constructing an explicit #. The corner stone of the multi signature protocol [2, 4, 12, 15] is the following arithmetic formula: # ## # ## ## # ## # ### ### # # ## # ### # ######## # In this scheme each member provides a partial certificate # ## # rather than revealing its private ## # (Figure 3) 1 Lagrange coefficient in the coalition is defined as # # # ### # #### # ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signatures (Extended Abstract). In CRYPTO, pages 457--469, 1991.

....RSA [21] the approach taken in this report is to focus on scalable and practical solutions in large scale ad hoc networks with dynamic node membership. In this report, we propose a suit of new algorithms that are fully distributed 2 and localized, based on but di#erent from existing works [10, 30, 25, 31, 34, 36, 21, 22] to achieve this goal. Our fully localized (typically within one hop neighborhood) protocols further achieve communication e#ciency and load balancing over the network to avoid network congestions. Through the localized design, our communication protocols are immune from the unreliability of ....

....communicate with, 4 and route packets for each other. It would be di#cult for each node to maintain a long list of trusted friends, potentially as large as the list contains all nodes in the whole network. Security function sharing has been a very active research area in cryptography research [12, 21, 22, 25, 26, 27, 30, 31, 35]. By distributing the functionality of the centralized CA server among a group of servers, the availability of such services is improved. The single point of failure can also be avoided. Threshold secret sharing [10] serves as a basic primitive for function sharing. The concept of proactive secret ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel. "Shared generation of authenticators and signatures (Extended Abstract)," CRYPTO, pages 457--469, 1991.

....of the 16th Annu. IEEE Conf. on Computational Complexity, 2001. extensive surveys on secret sharing literature. 1 Originally motivated by the problem of secure information storage, secret sharing schemes have found numerous other applications in cryptography and distributed computing (cf. [46, 10, 23, 25, 28]) However, secret sharing is independently interesting as a pure complexity question. The default complexity measure of secret sharing schemes is their share size, i.e. the total length of all shares distributed by the dealer. This is a measure of the amount of communication (or storage) ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology -- CRYPTO '91, volume 576 of Lecture Notes in Computer Science, pages 457--469. Springer-Verlag, 1992.

....is indeed the study of efficient multiparty computation protocols for cryptographic functions (e.g. signing or decrypting) in which each party has as input a share of the secret key that allows the computation of such function. Examples of threshold cryptography protocols can be found in [DF91, DF89, CMI93, Har94, DDFY94, PK96, GJKR96b, FGY96, GJKR96a, JY]. The above cited protocols use, in various ways, expensive VSS protocols and zero knowledge proofs. Though some are more efficient than others there is still room and need for improvement. Our techniques can be readily applied to this scenario to obtain much more efficient protocols. In the ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology --- Crypto '91, pages 457--469, Berlin, 1991. Springer-Verlag. Lecture Notes in Computer Science No. 576.

....threshold RSA [18] signature scheme, noting that there are some technical obstructions to doing this arising from the fact that polynomial interpolation over the coefficient ring Z OE(n) where n is the RSA modulus and OE the Euler totient function, is somewhat awkward. Later, Desmedt and Frankel [6] return again to the problem of threshold RSA, and present a non robust threshold RSA scheme that is non interactive and with small share size, but with no security analysis. Frankel and Desmedt [10] present results extending those in [6] giving a proof of security for a non robust threshold RSA ....

....function, is somewhat awkward. Later, Desmedt and Frankel [6] return again to the problem of threshold RSA, and present a non robust threshold RSA scheme that is non interactive and with small share size, but with no security analysis. Frankel and Desmedt [10] present results extending those in [6], giving a proof of security for a non robust threshold RSA scheme with small share size, but which requires interaction. Later, De Santis et al. 3] present a variation (also non robust) on the scheme in [10] that trades interaction for large share size (growing linearly in the number of ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In Advances in Cryptology--Crypto '91, pages 457--569, 1991.

....the greatest threat to many cryptographic protocols. The most commonly proposed remedy is distribution of the secret key across multiple servers via secret sharing. For digital signatures, the primitive we consider in this paper, the main instantiation of this idea is threshold signature schemes [8]. The signature is computed in a distributed way based on the shares of the secret key, and a sufficiently large set of servers must be compromised in order to obtain the key and generate signatures. Distribution of the key makes it harder for an adversary to learn the secret key, but does not ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Proc. of CRYPTO ' 91, volume 576 of LNCS, pages 457--469. Springer-Verlag, Aug. 1991.

....some signers can generate a signature on a message together, one verifier is sufficient to verify a given signature and the verifier needs the identity of the signers for verification. In particular, the signers are not anonymous. In a threshold group signature scheme with anonymous signers [DeFr91] t out of a group of n signers are able to generate a signature on a message together and one verifier is sufficient to verify a given signature. It s not possible to find out from a given signature whose of the n signers generated this signature. Thus the signers are anonymous. Finally, in a ....

Y.Desmedt, Y.Frankel, "Shared generation of authenticators and signatures ", Lecture Notes in Computer Science 576, Proc. Crypto '91, Springer Verlag, (1992), pp. 457--469.

....given in this paper. 1.5. Scope The scope of signature schemes actually defined here is schemes that could be used in the place of handwritten signatures in law, i.e. where each signer has complete control over what she signs. This excludes blind and group signature schemes, e.g. 8] and [13] [17] their services are too different for a nice joint definition. For similar reasons, we have excluded schemes that need additional parties, e.g. identity based schemes [48] and schemes with specific helpers for the signature verification [10] 39] The general parts of the definition and ....

Yvo Desmedt and Yair Frankel (1992). Shared generation of authenticators and signatures. Crypto '91, LNCS 576, Springer-Verlag, 457--469.

....a standard RSA signature without having to reconstruct the private key d at a single location. This is clearly advantageous for securing a sensitive private RSA key such as the one used by a Certi cate Authority. Constructions providing a t out of k RSA threshold signatures schemes can be found in [16, 13, 21, 34]. An important issue left out of the above discussion is the initial generation of the RSA modulus N and the shares d i . Traditionally the modulus N and the shares of the private key are assumed to be generated by a trusted dealer. Clearly, the dealer, or anyone who compromises the dealer, can ....

....An important open problem is the generation of shared keys of special form. For example, a modulus which is a product of safe primes (i.e. where both p 1 2 and q 1 2 are prime) has been considered for security purposes [27] as well as for technical reasons related to threshold cryptography [16, 25]. Currently, our techniques do not enable shared generation of moduli of special form. Progress in this directions would be very helpful. Acknowledgments We thank Don Beaver for helpful discussions on our results. ....

Y. Desmedt and Y. Frankel, \Shared generation of authenticators and signatures", Crypto '91, 457-469.

....those systems are the ones being deployed in the real world and hence they are the ones that require real protection. As of today, RSA [RSA78] and DSS [NIST91] appear as the two most used schemes in practice. For the case of RSA signatures particular examples of threshold schemes can be found in [DF91, DDFY94, FGY96, GJKR96b, Rab98]. DSS signatures turn out to be less amenable to sharing techniques than RSA or even other ElGamal type of signatures. For this reason, many variants of ElGamal type signatures, have 2 been proposed that are more suitable to being turned into threshold schemes (see for example [Har94, PK96] ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology--CRYPTO'91, Lecture Notes in Computer Science Vol. 576, pp. 457--469. Springer-Verlat, 1992.

....the greatest threat to many cryptographic protocols. The most commonly proposed remedy is distribution of the secret key across multiple servers via secret sharing. For digital signatures, the primitive we consider in this paper, the main instantiation of this idea is threshold signature schemes [11]. The signature is computed in a distributed way based on the shares of the secret key, and a sufficiently large set of servers must be compromised in order to obtain the key and generate signatures. Distribution of the key makes it harder for an adversary to expose the secret key, but does not ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in cryptology -- CRYPTO ' 91, volume 576 of Lecture Notes in Computer Science, pages 457--469. Springer-Verlag, Aug. 1991.

.... and Hellman first introduced the concept of digital signature [DH76] Since their paper, this concept has been the subject of numerous researches [GMR88] We distinguish undeniable [CvA90] convertible [BCDP91] unconditionally secure, fail stop [WP90] blind, group [vH92] and multi signatures [DF92, DQ94]. The aim of this paper is to present a signature scheme in which the ability to sign messages of a signer is limited to a fixed number k of signatures. It is an identity based signature scheme in which each signature can be used only once. We called such schemes bounded life span . It is based ....

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signatures. Advances in cryptology, Proceedings of CRYPTO '91, Lecture Notes in Computer Science, N ffi 576, pp. 457--469, Springer-Verlag, 1992.

.... distributed among multiple parties, so it takes the participation of at least t of these parties to send out a valid revocation notice (and furthermore any t parties can do so) This can be achieved by distributing the functionality of the root into multiple parties and using threshold signatures [3, 5] so that the correct participation of t parties is necessary and sufficient to create a valid revocation. If this new distributed root consists of at least k t Gamma 1 parties, then this also provides crash fault tolerance for up to k Gamma 1 of the root parties. In order for the threshold ....

Y. Desmedt and Y. Frankel, "Shared generation of authenticators and signatures," In Advances in Cryptology---CRYPTO '91, Lecture Notes in Computer Science 576, 457--469, Springer-Verlag, 1992.

....for an insurer to enforce such restrictions is to require, using a threshold signature scheme, that an auditor (who is possibly the same entity as the insurer) participate in every signature. A survey of threshold cryptography can be found in [3] some threshold signature schemes are presented in [4, 6]. In two out of two threshold signature schemes, two parties hold shares of a private key K Gamma1 . Computing signatures with K Gamma1 requires participation of both parties; neither party can compute signatures without the help of the other. The resulting signature can, as usual, be ....

Y. Desmedt and Y. Frankel, "Shared generation of authenticators and signatures," In Advances in Cryptology---CRYPTO '91, Lecture Notes in Computer Science 576, 457--469, Springer-Verlag, 1992.

.... Desmedt [11] Boyd [2] Croft and Harris [8] and Desmedt and Frankel [12] A survey of threshold cryptography techniques can be found in [13] Protocols for discrete log based threshold cryptosystems can be found in [2, 4, 12, 24, 31, 20] Protocols for RSA based threshold cryptosystems include [9, 10, 15, 19, 33]. In Appendix B we present an example of threshold cryptography applied to RSA [34] The fault tolerance of the SSRI protocols we present in this paper (n 2t) is inherited from the fault tolerance of the distributed threshold signature decryption protocols [15, 19, 21, 14, 33] which is ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology --- Crypto '91, pages 457--469, Berlin, 1991. SpringerVerlag. Lecture Notes in Computer Science No. 576.

....coincides with the decryption algorithm, solutions to shared RSA signatures usually lead to shared RSA decryption procedures which have various applications, e. g key escrow (cf. Mic92] and secure distributed storage (cf. GGJR97] Desmedt and Frankel initiated the study of threshold RSA [DF91], which was followed by De Santis, Desmedt, Frankel, and Yung [DDFY94] These papers provide solutions for the problem of threshold RSA, however, they lack the robustness property. The basic paradigm followed by known threshold signature schemes is as follows. Each player 2 P i has a share d i ....

....can lead to a wrong nal signature on m. Therefore, in order to add the robustness property to such a threshold signature scheme it suces to solve the problem of verifying the correctness of a single partial signature. It turns out, that in all known threshold RSA signature schemes (e.g. [DF91, DDFY94, Rab98]) checking a partial signature reduces to checking an RSA signature produced using the secret d i held by the signing player P i . In these partial signatures d i is in fact a secret RSA exponent, and the partial signature has the form m d i mod n where n is the public RSA modulus. What makes ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology | Crypto '91, pages 457-469, Berlin, 1991. Springer-Verlag. Lecture Notes in Computer Science No. 576.

....is responsible for all the machines covered by that MIB. Worse yet, the private key for this MIB is replicated on all those machines, making it fairly easy for an adversary to obtain it. There are at least two approaches to addressing this problem. The first is to use a threshold signature scheme [6], requiring a quorum of machines to sign MIBs. Although this may be the preferred solution in the long run, it requires some limited form of agreement, and we feel that the technology is not quite ripe for this approach. The second approach, and the one we have currently taken, is to simply not ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology---CRYPTO '91 Proceedings,volume 576 of Lecture Notes on Computer Science, pages 457--469. SpringerVerlag, Aug. 1992.

....will never be calculated by the group, though. 2) Any t dishonest members cannot forge a signature. In a (k; n) threshold digital signature scheme, 1) k out of n members must cooperate to issue a signature. 2) Any k Gamma 1 dishonest members cannot forge a signature. Desmedt and Frankel [8] showed a (k; n) threshold RSA type digital signature scheme which requires a trusted center. As in group public key cryptosystems, Desmedt [1] showed that a t resilient digital signature scheme with no trusted center is obtained for any digital signature scheme by using a general purpose ....

Y. Desmedt and Y. Frankel, "Shared Generation of Authenticators and Signatures ", In Proc. of Crypto'91, Lecture Notes in Computer Science, LNCS 576, Springer Verlag, pp.457--469, 1991.

....those systems are the ones being deployed in the real world and hence they are the ones that require real protection. As of today, RSA [RSA78] and DSS [NIST91] appear as the two most used schemes in practice. For the case of RSA signatures particular examples of threshold schemes can be found in [DF91, DDFY94, FGY96, GJKR96b, Rab98]. DSS signatures turn out to be less amenable to sharing techniques than RSA or even other ElGamal type of signatures. For this reason, many variants of ElGamal type signatures, have been proposed that are more suitable to being turned into threshold schemes (see for example [Har94, PK96] The ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology--CRYPTO'91, Lecture Notes in Computer Science Vol. 576, pp. 457--469. Springer-Verlat, 1992.

....be surveyed in Section 4.3 and discussed in more details in Section 5.2. Finally, OE(n) must remain secret, which implies that the shareholders should not know Z OE(n) The reader interested in detailed descriptions of how these technical issues in these basic schemes have been solved can consult [10, 9, 33, 29, 22, 34, 19]. 4 Recent research: a brief survey For several cryptoschemes and applications one has developed threshold crypto variants, such as threshold zero knowledge proofs, threshold pseudorandom generators, etc. The concept of threshold cryptography has also been extended to general access structures ....

....attack if 1=q. If q is a prime, then any homomorphic secret sharing scheme might be used to transform this scheme into a threshold authentication one. Indeed, let s i be a share of a and s 0 i be a share of b, then MAC i = m Delta s i s 0 i is a share of the MAC, called a partial MAC [22, 30, 27]. If Shamir s secret sharing scheme is used, as in [30] this scheme is not robust. Using the connection between threshold schemes and error correcting codes [18, 54, 48] this scheme can easily be made robust. Indeed, let the shares of a, i.e. s 1 ; s 2 ; s l ) and the shares of b, ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology --- Crypto '91, Proceedings (Lecture Notes in Computer Science 576), pp. 457--469. Springer-Verlag, 1992. Santa Barbara, California, U.S.A., August 12--15.

....only the identity function f(s) s, then we get the traditional notion of secret sharing schemes. These schemes, which were introduced by Blakley [8] and Shamir [34] were the subject of a considerable amount of work (e.g. 30, 26, 28, 6, 35, 20] They were used in many applications (e.g. [31, 5, 15, 19]) and were generalized in various ways [22, 7, 36] Surveys are given in [35, 37] The question of sharing many secrets simultaneously was considered (with some di erences in the de nitions) by several researchers [30, 26, 21, 11, 23, 10, 24] Simultaneous sharing of many secrets is also a special ....

..... 1 Let s1 ; s2 ; s be the secrets we want to share simultaneously. Construct the concatenated 1 similar scenarios in which sharing is viewed as a form of encryption and the security is computationally bounded have been considered in [32, 3, 1] Threshold cryptography [19, 18, 17] is also a special case of secret sharing for a family of functions. 2 A typical scenario of threshold cryptography is the following: Every set B of t parties should be able to sign any document such that any coalition C of less than t parties cannot sign any other document (even if the ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel, Shared generation of authenticators and signatures, in Advances in Cryptology - CRYPTO '91, J. Feigenbaum, ed., vol. 576 of Lecture Notes in Computer Science, Springer-Verlag, 1992, pp. 457-469.

....developed tools to allow proactive security [28] in discrete log based systems. They also defined the notion of a proactive public key system. Tools to allow proactive security in RSA based systems were given in [16, 15, 30] Previous work on threshold and robust threshold RSA systems is given in [10, 8, 17, 22]. None of these tools have been shown to be secure against an adaptive adversary. Recently the notion of security against adaptive adversaries in threshold public key systems was dealt with (in systems less constrained than ours) 19, 3] Our Contributions and Techniques: We base our system on ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures (extended abstract). In CRYPTO'91 [7], pages 457--469.

.... value (a signature or a cleartext) As long as an adversary does not corrupt a certain threshold of servers the system remains secure (as opposed to centralized cryptosystems in which the compromise of a single entity breaks the system) Function sharing (Threshold) systems were presented in [16, 17, 15]. Robust function sharing systems, in which the function can be evaluated correctly even if the adversary causes share holders it controls to misbehave arbitrarily, were presented in [30, 25, 29] Constructions of these systems are required to be efficient (e.g. they should not involve generic ....

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures (extended abstract). In CRYPTO'91 [12], pages 457--469.

....of single points of failure (for surveys on the subject see [D92,FY98] In particular we concentrate on distributed systems based on RSA [RSA] which is perhaps the most widely used public key function. Such distributed RSA systems have been shown possible in various security adversarial models [B88,F89,DF91,DDFY,FGY,GJKR96,FGMY,FGMY2,R]. The cryptographic objective of a distributed threshold RSA function sharing system is to distribute the RSA signing capability so that any t or more entities can sign a message, yet an adversary that compromises at most t Gamma 1 entities can not sign. 1 1.1 The basic issues In addition to ....

....security, efficiency and flexible control is essential in the design of practical systems. 1. 2 Our results Our specific results on distributed cryptosystems include: Security By incorporating pseudorandom intermixing, we are able to convert the simple yet heuristic threshold RSA protocol of [DF91] into a provably secure protocol. Pseudorandom intermixing is able to achieve this by converting public values which are not known to be simulatable into random looking values that are easy to simulate. Efficiency By incorporating pseudorandom intermixing, we are able to reduce the communication ....

[Article contains additional citation context not shown here]

Y. Desmedt and Y. Frankel, Shared Generation of Authenticators and Signatures Advances in Cryptology-Crypto '91, pp. 457-469. Springer-Verlag.

No context found.

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In CRYPTO '91, volume 576 of LNCS, pages 457--469. 1992.

No context found.

Y. Desmedt and Y. Frankel, "Shared Generation of Authenticators and Signatures, " Proc. of CRYPTO '91, Springer-Verlag LNCS, vol. 576, pp. 457--469, 1991.

No context found.

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology -- CRYPTO'91, volume 576 of Lecture Notes in Computer Science, pages 457--469, Santa Barbara, CA, USA, Aug. 11--15, 1991. SpringerVerlag, Berlin, Germany.

No context found.

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In Advances in Cryptology--Crypto '91, pages 457--569, 1991.

No context found.

Y. Desmedt and Y. Frankel, Shared Generation of Authenticators and Signatures, Crypto'91.

No context found.

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures (Extended Abstract). In J. Feigenbaum, editor, Advances in Cryptology---Crypto'91, the 11th Annual International Cryptology Conference, Proceedings, volume 576 of Lecture Notes in Computer Science, pages 457--469, Berlin, Germany, 1992. Springer-Verlag.

No context found.

Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signatures (Extended Abstract). In CRYPTO, pages 457--469, 1991.

No context found.

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures (Extended Abstract). In: Advances in Cryptology - CRYPTO'91, LNCS 576, pp.457-469. Springer-Verlag, 1991.

No context found.

Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology --- Crypto '91, pages 457--469, Berlin, 1991. Springer-Verlag. LNCS No. 576.

No context found.

Y. Desmedt and Y. Frankel, "Shared generation of authenticators and signatures," in Proc. CRYPTO '91, pp. 457--469, Springer, 1992.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC