#### DMCA

## Self-blindable credential certificates from the weil pairing (2001)

### Cached

### Download Links

- [www.iacr.org]
- [www.cs.ru.nl]
- [www.cs.ru.nl]
- [www.cs.ru.nl]
- [www.mathmagic.cn]
- DBLP

### Other Repositories/Bibliography

Citations: | 56 - 1 self |

### Citations

1548 | A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...nowledge fashion with the Schnorr identification protocol [25]. Moreover, several digital signature systems can be based on the user public, private key pairs mentioned above, e.g., DSA [15], ElGamal =-=[14]-=- and Schnorr [25]. Finally, a certificate issued by a trust provider with public key h, h z on a user public key g x takes the form: {g x , g xz }. Note that the above certificate is based on the vari... |

1188 |
The Arithmetic of Elliptic Curves
- Silverman
- 1986
(Show Context)
Citation Context ...lled a distortion map in [27]) on Ca that maps a point (x, y) on the curve to the point (ω · x, y) also on the curve (over GF(p 2 )) and where eq(., .) is the so-called Weil pairing. See [1], [20] or =-=[26]-=-. As the Weil pairing is efficiently computable, the DDH problem is also efficiently computable in this situation. It is well-known that the DL problem in the group of points on the curve in GF(p) red... |

641 |
Group Signatures
- Chaum, Heyst
- 1991
(Show Context)
Citation Context ... will delve no further into this property in this paper. In the terminology we introduced above, we formulate the security assumption that we require for our variant of the Chaum-Pedersen scheme (cf. =-=[8]-=-, [9]). Assumption 21 If the Diffie-Hellman problem with respect to g is hard, then without knowledge of the private signing key z, the only forged message an attacker can make on the basis of signed ... |

505 | Security without identification: transaction systems to make big brother obsolete
- Chaum
- 1985
(Show Context)
Citation Context ...e certificates. Such certificates can be constructed using the Weil pairing in supersingular elliptic curves. 1 Introduction Credential pseudonymous certificates (CPCs) were introduced by David Chaum =-=[7]-=- in 1985 to counter some of the privacy problems related to identity certificates. One such problem is that service providers know exactly who they are servicing when a user employs an identity certif... |

394 |
Efficient Identification and Signatures for Smart Cards
- Schnorr
- 1989
(Show Context)
Citation Context ...private keys. There is a subtle reason why x = 0 is principally not allowed, see below. Note that a user can prove possession of x in a zero-knowledge fashion with the Schnorr identification protocol =-=[25]-=-. Moreover, several digital signature systems can be based on the user public, private key pairs mentioned above, e.g., DSA [15], ElGamal [14] and Schnorr [25]. Finally, a certificate issued by a trus... |

371 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ...ed to the special case of a credential certificate system. As a final note, we remark that the privacy of our scheme can be further improved by the use of “Wallet with Observer” techniques, cf., [5], =-=[11]-=-.s538 Eric R. Verheul Outline of the paper – In Section 2, we describe a variant of the Chaum-Pedersen digital signature scheme which is of crucial importance for our constructions of self-blindable c... |

333 |
A One Round Protocol for Tripartite Diffie-Hellman
- Joux
- 2000
(Show Context)
Citation Context ... = g x ∈ G, with 0 ≤ x < q, find x = DL(α). The DL problem is at least as difficult as the DH problem. It is widely assumed that if the DL problem G is hard, then so is the DH problem. Currently, cf. =-=[16]-=-, [27], [17], a large class of groups has been discovered in which the DDH problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. This class consists of certai... |

328 |
Elliptic Curve Public Key Cryptosystems.
- Menezes
- 1993
(Show Context)
Citation Context ...hism (called a distortion map in [27]) on Ca that maps a point (x, y) on the curve to the point (ω · x, y) also on the curve (over GF(p 2 )) and where eq(., .) is the so-called Weil pairing. See [1], =-=[20]-=- or [26]. As the Weil pairing is efficiently computable, the DDH problem is also efficiently computable in this situation. It is well-known that the DL problem in the group of points on the curve in G... |

308 | An efficient system for non-transferable anonymous credentials with optional anonymity revocation
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...ctively implies sharing a credential that is highly valuable to the user, most notably one enabling him to take over the user’s identity and digitally sign contracts that legally binds the user (cf., =-=[6]-=-, [5]). Revocation of pseudonymous certificates and credentials Under certain circumstances, it should be possible for the user and trust providers to revoke pseudonymous certificates as well as crede... |

274 | Untraceable off-line cash in wallets with observers (extended abstract),” in
- Brands
- 1993
(Show Context)
Citation Context ...ansfer), one needs to trust devices resistant to user tampering. 4.2 A more robust construction This construction is based on the technique in Brands’ e-cash scheme to trace double spenders (cf. from =-=[4]-=-). Just as in the previous section our construction is based on the variant of the Chaum-Pedersen signature scheme as introduced in Section 2. So, again, let G = 〈g〉 be a group of prime order q in whi... |

274 |
Rethinking public key infrastructures and digital certificates: building in privacy.
- Brands
- 2000
(Show Context)
Citation Context ...ly implies sharing a credential that is highly valuable to the user, most notably one enabling him to take over the user’s identity and digitally sign contracts that legally binds the user (cf., [6], =-=[5]-=-). Revocation of pseudonymous certificates and credentials Under certain circumstances, it should be possible for the user and trust providers to revoke pseudonymous certificates as well as credential... |

144 | Pseudonym Systems
- Lysyanskaya, Rivest, et al.
(Show Context)
Citation Context ...erent users. Damg˚ard’s scheme [13], is based on general complexity-theoretic primitives and is therefore not applicable for practical use. The scheme developed by Lysyanskaya, Rivest, Sahai and Wolf =-=[19]-=- is based on one-way functions and general zero-knowledge proofs which also makes it inappropriate for practical use. Our CPC system can be considered as the opposite of the credential scheme [6] cons... |

122 | Efficient Concurrent Zero-Knowledge in the Auxiliary String Model.
- Damgard
- 2001
(Show Context)
Citation Context ...ew, this is undesirable. Chen’s scheme [12], envisions a trusted party who, amongst other things, should be trusted to refrain from transferring credentials between different users. Damg˚ard’s scheme =-=[13]-=-, is based on general complexity-theoretic primitives and is therefore not applicable for practical use. The scheme developed by Lysyanskaya, Rivest, Sahai and Wolf [19] is based on one-way functions ... |

97 | Evidence that XTR is more secure than supersingular elliptic curve cryptosystems.
- Verheul
- 2004
(Show Context)
Citation Context ... ∈ G, with 0 ≤ x < q, find x = DL(α). The DL problem is at least as difficult as the DH problem. It is widely assumed that if the DL problem G is hard, then so is the DH problem. Currently, cf. [16], =-=[27]-=-, [17], a large class of groups has been discovered in which the DDH problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. This class consists of certain grou... |

92 | The XTR Public Key System
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...It is shown in [27] that inverting such embeddings is hard; in fact, as hard as the DH problem in the group G. Note that by using a specific choice of G, the group G ′ could be the XTR group. Compare =-=[18]-=- and [27]. A group of points on a (supersingular) elliptic curve over a finite field used in cryptography is typically chosen in such a way that its order is a prime number times a small number (e.g.,... |

75 | Separating decision diffie-hellman from diffie-hellman in cryptographic groups. Available from http://eprint.iacr.org/2001/003/,
- Joux, Nguyen
- 2001
(Show Context)
Citation Context ...with 0 ≤ x < q, find x = DL(α). The DL problem is at least as difficult as the DH problem. It is widely assumed that if the DL problem G is hard, then so is the DH problem. Currently, cf. [16], [27], =-=[17]-=-, a large class of groups has been discovered in which the DDH problem is simple, while the Diffie-Hellman and discrete logarithm problems are presumably not. This class consists of certain groups of ... |

55 |
Reducing elliptic curve logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... also efficiently computable in this situation. It is well-known that the DL problem in the group of points on the curve in GF(p) reduces to the DL problem in a subgroup of order q in GF(p 2 ) ∗ (cf. =-=[21]-=- ). That is, to make the DH and DL problems practically intractable against attacks known today, the length of the prime number q should be at least 160 bit and the length of the prime number should b... |

53 |
A secure and privacy–protecting protocol for tranmitting personal information between organisation. In:
- Chaum, Evertse
- 1986
(Show Context)
Citation Context ...d Work As we could probably write an entire paper just discussing and comparing all of the CPC schemes that have been published, we will be brief. The first scheme was introduced by Chaum and Evertse =-=[10]-=- and is based on having a semi-trusted third party involved in all credential translations. Both from an efficiency and a security point of view, this is undesirable. Chen’s scheme [12], envisions a t... |

46 |
M.Franklin, Identity-based encryption from the weil pairing,
- Boneh
- 2001
(Show Context)
Citation Context ...bit prime number p of type p = 6q − 1 where q is also a prime number and consider the curve C1 : y 2 = x 3 + 1. Let P be any GF(p)-rational point on the curve of order q. This construction is used in =-=[2]-=- in the setting of an identity-based encryption scheme that is also based on the Weil pairing. This paper also analyzes the work needed to solve the DDH problem in the group 〈P 〉, which amounts to a s... |

36 |
Access with pseudonyms. In
- Chen
- 1995
(Show Context)
Citation Context ...um and Evertse [10] and is based on having a semi-trusted third party involved in all credential translations. Both from an efficiency and a security point of view, this is undesirable. Chen’s scheme =-=[12]-=-, envisions a trusted party who, amongst other things, should be trusted to refrain from transferring credentials between different users. Damg˚ard’s scheme [13], is based on general complexity-theore... |

29 |
Hovav Shacham. Short signatures from the Weil pairing
- Boneh, Lynn
(Show Context)
Citation Context ...ents in the subgroup without knowledge of relative discrete logarithms is very simple, e.g., by mapping a hash value into a point on the curve and then mapping it to a point in the subgroup. See also =-=[3]-=-. 2.2 The ‘proofless’ variant of the Chaum-Pedersen scheme As explained in the previous section, we consider a group, G, of prime order q, with generator g, in which the DDH problem is simple, while t... |

1 |
Provable Secure and Practical Identifications and Corresponding Signature Schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...ire that g x1 1 gx2 2 be unequal to the unity element. Note that a participant can prove possession of x1, x2 in a zero-knowledge fashion with the Okamoto variant of Schnorr’s identification protocol =-=[22]-=-. In the same paper, a variant of Schnorr’s signature scheme is described based on the user public, private key pairs mentioned above. Finally, a certificate issued by a trust provider with public key... |

1 |
Online Certificate Status Protocol (OCSP), available from www.ietf.org
- RFC
(Show Context)
Citation Context ...of the (credential) pseudonymous certificate to the service provider. This functionality resembles the use of an On-line Certificate Status Protocol (OCSP) request, commonly used on the Internet (cf. =-=[23]-=-). Of course, the service provider still needs to verify that the user is in possession of the private key referenced in the used randomized CPC. The second revocation technique can be supplemented wi... |

1 |
SPKI Certificate Theory, available from www.ietf.org
- RFC
(Show Context)
Citation Context ...pseudonymous certificate. Also note that the pseudonym of a user is in fact the user’s public key in its certificate, which is reminiscent of the SPKI (Simple Public Key Infrastructure) approach, cf. =-=[24]-=-.sSelf-Blindable Credential Certificates from the Weil Pairing 543 Note that the self-blinding properties of the certificates enable the users themselves to generate a new pseudonymous certificate val... |