#### DMCA

## Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme (2003)

### Cached

### Download Links

Venue: | PROCEEDINGS OF PKC 2003, VOLUME 2567 OF LNCS |

Citations: | 191 - 0 self |

### Citations

2578 | How to share a secret
- SHAMIR
- 1979
(Show Context)
Citation Context ...h proofs under the appropriate computational assumptions using the corresponding notions of security. The new GDH threshold signature scheme.The idea behind the (t, n)thre-shold cryptography approach =-=[9, 14, 16, 43]-=- is to distribute secret information (i.e. a secret key) and computation (i.e. signature generation or decryption) between n parties in order to remove single point of failure. The goal is to allow an... |

1743 | Identity-based encryption from the Weil pairing - Boneh, Franklin - 2001 |

1641 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context .... A deterministic verification algorithm V takes a public key pk, a message M and a signature σ and outputs 1 (accepts) if the signature is valid and 0 (rejects) otherwise. In the random oracle model =-=[1]-=- bothsigning and verification algorithms have access to the random hash oracle. Usually M ∈{0, 1} ∗ . The common requirement is that V(pk, S(I,sk,M)) = 1 for all M ∈{0, 1} ∗ . The widely-accepted noti... |

753 | Short signature from the Weil pairing - Boneh, Lynn, et al. - 2001 |

641 | Group Signatures - Chaum, Heyst - 1991 |

502 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...a trusted dealer producing Shamir’s secret sharing of a secret [43]. Some threshold signature scheme, e.g. threshold DSS proposed in [21] use the distributed key generation protocol (DKG) of Pedersen =-=[38]-=-. The intuition behind the latter protocol is to have n parallel executions of Feldman’s verifiable secret sharing protocol [18], such that each player acts as a dealer. However, [22] point out the we... |

375 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ...their construction a user has to be able to produce a valid signature of a previously unsigned message. The accepted formalization of security for blind signature is security against one-more-forgery =-=[39, 40]-=-. Definition 4. Let S be a signature scheme and let BS =(BK, BS, BV) be the corresponding blind signature scheme. An adversary A learns the public key pk randomly generated by BK. A is allowed to play... |

296 | Threshold cryptosystems,” - Desmedt, Frankel - 1989 |

290 |
A practical scheme for non-interactive verifiable secret sharing
- Feldman
- 1987
(Show Context)
Citation Context ...d in [21] use the distributed key generation protocol (DKG) of Pedersen [38]. The intuition behind the latter protocol is to have n parallel executions of Feldman’s verifiable secret sharing protocol =-=[18]-=-, such that each player acts as a dealer. However, [22] point out the weakness of DKG of [38]. Namely, it is possible for a corruptive adversary to prevent the protocol from completing correctly by ma... |

231 | Proactive secret sharing or: How to cope with perpetual leakage”,
- Herzberg, Jarecki, et al.
- 1995
(Show Context)
Citation Context ... the random oracle model only because the latter is used in the proof of security of the base signature scheme. We also show how proactive security can be added to our scheme using general methods of =-=[26, 25]-=-. Related work. There exist many threshold signature scheme constructions, i.e. [16, 24, 17, 19, 41, 21, 44]. The proposals of [16, 24] lacksecurityproofs,the schemes of [16, 17] are non-robust while ... |

171 | Secure distributed key generation for discrete-log based cryptosystem”,
- Gennaro, Jarecki, et al.
- 1999
(Show Context)
Citation Context ... the corresponding threshold GDH signature scheme TGS[G] =(TK, TS, V) are defined as follows. TKis exactly the distributed key generation protocol DKG for discrete-log based systems of Gennaro et al. =-=[22]-=- 1 . It is jointly executed by a set of paries {P1,...,Pn} It takes as input I and outputs a public key y. The private output of each player Pi is a share xi such that (x1,...,xn) (t,n) −→ x, wherex =... |

168 | How to withstand mobile virus attacks”, - Ostrovsky, Yung - 1991 |

144 | Robust threshold DSS signatures - Jarecki, Krawczyk, et al. - 1996 |

141 | Fast Batch Verification for Modular Exponentiation and Digital Signatures
- Bellare, Garay, et al.
- 1998
(Show Context)
Citation Context ...e same message under different public keys2 . 2 This problem is orthogonal to the problem of batch verification of signatures of the different messages under the same key, which has been addressed in =-=[3]-=-.sThreshold Signatures, Multisignatures and Blind Signatures 41 A verifier needs first to play the role of D above to multiply the given signatures and then continue the verification according to the ... |

134 |
Error correction of algebraic block codes,
- Berlekamp, Welch
- 1986
(Show Context)
Citation Context ... of the product of these secrets and producing shares of a reciprocal of a secret given shares of this secret. To achieve robustness, the authors use errorcorrection techniques of Berlekamp and Welch =-=[4]-=-. As a result, the threshold DSS can tolerate only t<n/4malicious parties, the threshold signature-generation protocol requires a lot of interaction and the complexity of a threshold scheme increases ... |

119 | Shared generation of authenticators and signatures,” - Desmedt, Frankel - 1991 |

114 |
Society and group oriented cryptography: a new concept,” in
- Desmedt
- 1978
(Show Context)
Citation Context ...h proofs under the appropriate computational assumptions using the corresponding notions of security. The new GDH threshold signature scheme.The idea behind the (t, n)thre-shold cryptography approach =-=[9, 14, 16, 43]-=- is to distribute secret information (i.e. a secret key) and computation (i.e. signature generation or decryption) between n parties in order to remove single point of failure. The goal is to allow an... |

113 |
Threshold cryptography.
- Desmedt
- 1994
(Show Context)
Citation Context ...m the computation while preserving security even in the presence of an active adversary which can corrupt up to t (a threshold) parties. A review of research on threshold cryptography is presented in =-=[15]-=-. In threshold signature schemes the secret key is distributed among n parties with the help of a trusted dealer or without it by running an interactive protocol among all parties. To sign a message M... |

100 | Proactive Public Key and Signature Systems,"
- Herzberg, Jakobsson, et al.
- 1997
(Show Context)
Citation Context ... the random oracle model only because the latter is used in the proof of security of the base signature scheme. We also show how proactive security can be added to our scheme using general methods of =-=[26, 25]-=-. Related work. There exist many threshold signature scheme constructions, i.e. [16, 24, 17, 19, 41, 21, 44]. The proposals of [16, 24] lacksecurityproofs,the schemes of [16, 17] are non-robust while ... |

92 | A simplified approach to threshold and proactive rsa
- Rabin
- 1998
(Show Context)
Citation Context ... base signature scheme. We also show how proactive security can be added to our scheme using general methods of [26, 25]. Related work. There exist many threshold signature scheme constructions, i.e. =-=[16, 24, 17, 19, 41, 21, 44]-=-. The proposals of [16, 24] lacksecurityproofs,the schemes of [16, 17] are non-robust while those of [19, 41] are robust and proactive but require a lot of interaction. We compare our scheme with the ... |

91 | The one-more-rsa-inversion problems and the security of chaum’s blind signature scheme - Bellare, Namprempre, et al. |

78 | Provably secure blind signature schemes. In
- Pointchval, Stern
- 1996
(Show Context)
Citation Context ...their construction a user has to be able to produce a valid signature of a previously unsigned message. The accepted formalization of security for blind signature is security against one-more-forgery =-=[39, 40]-=-. Definition 4. Let S be a signature scheme and let BS =(BK, BS, BV) be the corresponding blind signature scheme. An adversary A learns the public key pk randomly generated by BK. A is allowed to play... |

75 | Separating decision diffie-hellman from diffie-hellman in cryptographic groups. Available from http://eprint.iacr.org/2001/003/,
- Joux, Nguyen
- 2001
(Show Context)
Citation Context ...ing [8] we will refer to such groups as Gap Diffie-Hellman (GDH) groups. The first example a GDH group is given in [29] and more details on the existence and composition of GDH groups can be found in =-=[30, 6, 8]-=-. Another signature scheme that works in GDH groups has been proposed by Lysyanskaya in [32]. Unlike the scheme of [8], it does not use random oracles but is less efficient. Let G be a GDH group of pr... |

65 |
A One-Round Protocol for Tripartite Diffie-Hellman,”
- Joux
- 2000
(Show Context)
Citation Context ...d Diffie-Hellman tuple, namely, they have the property that log g u =log v h.) Following [8] we will refer to such groups as Gap Diffie-Hellman (GDH) groups. The first example a GDH group is given in =-=[29]-=- and more details on the existence and composition of GDH groups can be found in [30, 6, 8]. Another signature scheme that works in GDH groups has been proposed by Lysyanskaya in [32]. Unlike the sche... |

63 | Unique Signatures and Verifiable Random Functions from the DH-DDH Separation.
- Lysyanskaya
- 2002
(Show Context)
Citation Context ...roup is given in [29] and more details on the existence and composition of GDH groups can be found in [30, 6, 8]. Another signature scheme that works in GDH groups has been proposed by Lysyanskaya in =-=[32]-=-. Unlike the scheme of [8], it does not use random oracles but is less efficient. Let G be a GDH group of prime order p and let g be a generator of G. Similarly to most discrete-log-based schemes, the... |

56 |
Maintaining Security in the Presence of Transient Faults, Crypto 94
- Canetti, Herzberg
(Show Context)
Citation Context ...hich requires that even t malicious parties that deviate from the protocol cannot prevent it from generating a valid signature. Another useful property of a threshold signature scheme is proactivness =-=[37, 13]-=- (orperiodic refreshment of shares of a secret) whose goal is to protect a system from an adversary that builds-up knowledge of a secret by several attempted break-ins to several locations. In general... |

53 | Accountable-subgroup Multisignatures. On proceedings
- Micali, Ohta, et al.
- 2001
(Show Context)
Citation Context ...also a third party called a group manager which can identify the identity of the signer. Related work. Multisignatures have been introduced in [28] and have been the topic of many other works such as =-=[24, 31, 27, 34, 35, 36, 33]-=-. The schemes of [35, 36] do not support subgroups of signers, they allow only the case where each player of the group signs the document. The solutions of [28, 34] arenot very efficient: multisignatu... |

50 | Proactive RSA. - Frankel, Gemmell, et al. - 1997 |

41 |
A Public-key Cryptosystem Suitable for Digital Multisignatures
- Itakura, Nakamura
- 1983
(Show Context)
Citation Context ...t to a verifier. In the group signature setting there is also a third party called a group manager which can identify the identity of the signer. Related work. Multisignatures have been introduced in =-=[28]-=- and have been the topic of many other works such as [24, 31, 27, 34, 35, 36, 33]. The schemes of [35, 36] do not support subgroups of signers, they allow only the case where each player of the group ... |

39 | Parallel reliable threshold multisignature. Security - Frankel, Desmedt - 1992 |

27 |
Multisignature schemes secure against active insider attacks
- Ohta, Okamoto
- 1999
(Show Context)
Citation Context ...also a third party called a group manager which can identify the identity of the signer. Related work. Multisignatures have been introduced in [28] and have been the topic of many other works such as =-=[24, 31, 27, 34, 35, 36, 33]-=-. The schemes of [35, 36] do not support subgroups of signers, they allow only the case where each player of the group signs the document. The solutions of [28, 34] arenot very efficient: multisignatu... |

24 |
A Digital Multisignature Scheme based on the FiatShamir Scheme
- Ohta, Okamoto
- 1999
(Show Context)
Citation Context ...also a third party called a group manager which can identify the identity of the signer. Related work. Multisignatures have been introduced in [28] and have been the topic of many other works such as =-=[24, 31, 27, 34, 35, 36, 33]-=-. The schemes of [35, 36] do not support subgroups of signers, they allow only the case where each player of the group signs the document. The solutions of [28, 34] arenot very efficient: multisignatu... |

21 |
Digital multisignatures. Cryptography and Coding
- Boyd
- 1989
(Show Context)
Citation Context ...h proofs under the appropriate computational assumptions using the corresponding notions of security. The new GDH threshold signature scheme.The idea behind the (t, n)thre-shold cryptography approach =-=[9, 14, 16, 43]-=- is to distribute secret information (i.e. a secret key) and computation (i.e. signature generation or decryption) between n parties in order to remove single point of failure. The goal is to allow an... |

21 | Seperating decision Di#e-Hellman from Di#e-Hellman in cryptographic groups", J. Cryptology Online First, available from http://eprint.iacr.org/2001/003 - Joux, Nguyen |

18 | A practical scheme for non-interactive veri secret sharing - Feldman - 1987 |

17 |
Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders
- Li, Hwang, et al.
- 1995
(Show Context)
Citation Context |

15 |
Group-oriented (t,n) threshold digital signature scheme and digital multisignature,”
- Harn
- 1994
(Show Context)
Citation Context ... base signature scheme. We also show how proactive security can be added to our scheme using general methods of [26, 25]. Related work. There exist many threshold signature scheme constructions, i.e. =-=[16, 24, 17, 19, 41, 21, 44]-=-. The proposals of [16, 24] lacksecurityproofs,the schemes of [16, 17] are non-robust while those of [19, 41] are robust and proactive but require a lot of interaction. We compare our scheme with the ... |

13 | Meta-multisignatures schemes based on the discrete logarithm problem,” IFIP/Sec
- Horster, Michels, et al.
- 1995
(Show Context)
Citation Context |

12 |
signatures from the Weil pairing, Asiacrypt 2001, LNCS 2139
- Boneh, Shacham, et al.
- 2004
(Show Context)
Citation Context ...up (where the Computational DiffieHellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. =-=[8]-=-. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing ... |

11 |
Practical Threshold Signatures," EUROCRYPT'00
- Shoup
- 2000
(Show Context)
Citation Context ... base signature scheme. We also show how proactive security can be added to our scheme using general methods of [26, 25]. Related work. There exist many threshold signature scheme constructions, i.e. =-=[16, 24, 17, 19, 41, 21, 44]-=-. The proposals of [16, 24] lacksecurityproofs,the schemes of [16, 17] are non-robust while those of [19, 41] are robust and proactive but require a lot of interaction. We compare our scheme with the ... |

10 |
Threshold Cryptosystems. CRYPTO’89
- Desmedt, Frankel
(Show Context)
Citation Context |

8 | Public key signatures in the multi-user setting - Galbraith, Malone-Lee, et al. |

7 | Fast batch veri for modular exponentiation and digital signatures - Bellare, Garay, et al. - 1998 |

7 | E cient group signatures for large groups - Camenisch, Stadler - 1997 |

7 | A one-round protocol for tripartite Die-Hellman - Joux - 2000 |

6 | Unique signatures and veri random functions from the DH-DDH separation - Lysyanskaya - 2002 |

5 |
H.: Blind Multisignatures and their relevance for Electronic Voting
- Horster, Michels, et al.
- 1995
(Show Context)
Citation Context ...p of signers so that multisignature’s length is independent from the number of signers and the signers or their coalition do not learn any information about the message. Horster, Michels and Petersen =-=[HMP1]-=- discuss such schemes and suggest that they can be useful for voting protocols. They also propose blind multisignature protocol based on El Gamal signature scheme. We note that our multisignature MGS ... |

4 | A digital multisignature schema using bijective public-key cryptosystems - Okamoto - 1988 |

4 | Digital Multisignatures," in Cryptography and Coding - Boyd - 1989 |

3 |
Robust threshold DSS signatures,” Eurocrypt 96
- Gennaro, Jarecki, et al.
- 1996
(Show Context)
Citation Context |

3 |
How to withstand mobile virus attacks,” PODC
- Ostrovsky, Yung
- 1991
(Show Context)
Citation Context ...hich requires that even t malicious parties that deviate from the protocol cannot prevent it from generating a valid signature. Another useful property of a threshold signature scheme is proactivness =-=[37, 13]-=- (orperiodic refreshment of shares of a secret) whose goal is to protect a system from an adversary that builds-up knowledge of a secret by several attempted break-ins to several locations. In general... |

3 |
How to leak a secret”, Asiacrypt 01
- Rivest, Shamir, et al.
- 2001
(Show Context)
Citation Context ...hat the verification protocol of a threshold signature scheme does not depend on the current subgroup of signers. Multisignatures are also different from group signatures [13, 10] and ring signatures =-=[42]-=-, where every individual member of the group can produce a valid signature on behalf of the whole group. In the latter two settings a signer remains anonymous with respect to a verifier. In the group ... |

3 | Practical threshold signatures”, Advances in Cryptology – Eurocrypt ’00 - Shoup - 2000 |

2 |
Shared generation of authenticators and signatures,” Crypto 91
- Desmedt, Frankel
- 1991
(Show Context)
Citation Context |

2 |
Proactive RSA,” Crypto 97
- Frankel, Gemmal, et al.
- 1997
(Show Context)
Citation Context |

2 | Society and group oriented cryptography,”Advances - Desmedt - 1987 |

1 |
The One-More-RSAInversion Problems and the security of
- Bellare, Namprempre, et al.
- 2001
(Show Context)
Citation Context ...more than one valid signature after one interaction with the signer. Chaum [11] first proposed the RSA-based blind signature scheme. However, it has been proved secure only recently by Bellare et al. =-=[2]-=-. The reason for this time gap is that it appears impossible to prove security of Chaum’s scheme based on standard RSA assumptions. The approach taken by [2] isto introduce the new plausible computati... |

1 |
Aggregate signatures from bilinear maps
- Boneh, Gentry, et al.
(Show Context)
Citation Context ...sting open problem to find a provably secure multisignature scheme where the composition of the subgroup can be decided after the signature shares are computed. In their independent work Boneh et al. =-=[7]-=- propose a new aggregate signature scheme based on the GS signature scheme. Unlike multisignatures, aggregate signature schemes permit a group of users to aggregate multiple signatures of different me... |

1 |
Efficient group signatures for large groups,” Crypto 97
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...ners. Another difference is that the verification protocol of a threshold signature scheme does not depend on the current subgroup of signers. Multisignatures are also different from group signatures =-=[13, 10]-=- and ring signatures [42], where every individual member of the group can produce a valid signature on behalf of the whole group. In the latter two settings a signer remains anonymous with respect to ... |

1 |
Blind signatures for untreaceable payments,” Crypto 82
- Chaum
- 1982
(Show Context)
Citation Context ...e from a signer so that the signer does not learn information about the message it signed and so that the user cannot obtain more than one valid signature after one interaction with the signer. Chaum =-=[11]-=- first proposed the RSA-based blind signature scheme. However, it has been proved secure only recently by Bellare et al. [2]. The reason for this time gap is that it appears impossible to prove securi... |

1 |
A digital signature secure against adaptive chosenmessage attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...lly M ∈{0, 1} ∗ . The common requirement is that V(pk, S(I,sk,M)) = 1 for all M ∈{0, 1} ∗ . The widely-accepted notion of security for signature schemes is unforgeability under chosen-message attacks =-=[23]-=-. We recall this notion adjusted to the random oracle model in the full version of this paper [5]. We now recall the basic signature scheme of [8]. It uses Gap-Diffie-Hellman groups, so accordingly we... |

1 |
Aggregate signatures from bilinear maps,” Manuscript
- Boneh, Gentry, et al.
(Show Context)
Citation Context ...sting open problem to find a provably secure multisignature scheme where the composition of the subgroup can be decided after the signature shares are computed. In their independent work Boneh et al. =-=[BGLS]-=- propose a new aggregate signature scheme based on the GS signature scheme. Unlike multisignatures, aggregate signature schemes permit a group of users to aggregate multiple signatures of different me... |

1 | Blind signatures for untreaceable payments,"Advances - Chaum - 1982 |

1 | Practical threshold signatures", Advances in Cryptology { Eurocrypt '00 - Shoup - 2000 |

1 | Feldman “A practical scheme for non-interactive verifiable secret sharing - unknown authors - 1987 |

1 | Public key signatures - Galbraith, Malone-Lee, et al. |

1 | Blind signatures for untreaceable payments,”Advances - Chaum - 1982 |