Coalition Resistance

First we show that three colluding members may together compute g^dmod n effi-ciently. Any two colluding members i and j can compute

T₁ = y_i− y_j, T₂ = v_i^eR− v^e_j^R.

Note that T₂ ≡ v_i^eR − v_j^eR ≡ (c_i+ b) − (c_j + b) ≡ c_i − c_j (mod q₁q₂). By Eq. (5.1), the colluding members i and j can compute

T₃ = w_i/w_j mod n

= g^(yi+ci)d/g^(yj+cj)d mod n

= g^{[(yi−yj)+(ci−cj)]d}mod n

= g^(T1+T2)d mod n.

Assume the number of the colluding members exceeds two. Two of the colluding members can obtain (T₁⁰, T₂⁰, T₃⁰) and another two of the colluding members can ob-tain (T₁⁰⁰, T₂⁰⁰, T₃⁰⁰). Suppose that gcd(T₁⁰ + T₂⁰, T₁⁰⁰+ T₂⁰⁰) = 1, then by the extended Euclidean algorithm they can find E₁ and E₂ such that E₁(T₁⁰+ T₂⁰) + E₂(T₁⁰⁰+ T₂⁰⁰) = 1. Finally, they calculate g^dmod n as (T₃⁰)^E1(T₃⁰⁰)^E2 mod n because (T₃⁰)^E1(T₃⁰⁰)^E2 ≡ (g^(T10+T20)d)^E1(g^(T100+T200)d)^E2 ≡ g^d (mod n).

We now show that it is infeasible for colluding members to generate an untraceable signature (ˆg, Z0, Z1, Z2, A1, A2, S0, S1, S2) such that S0, S1, and S2 are correct even if g^d mod n is available. To be correct, it must hold that S₂ = (Z₁Z₂)^dmod n. In addition, the two values Z₁ and Z₂ need to make S₀ and S₁ correct. Here S₀ = SKREP [ (α, β) : ˆg = g^β mod n ∧ Z₀ = S_b^β mod n ∧ Z₁ = ˆg^α mod n ∧ A₁ = g^αu^β mod n ∧ A₂ = t^β mod n ](m) and S₁ = SKRDL[ γ : Z₂Z₀ ≡ ˆg^γeR (mod n) ](m). To obtain an untraceable S₀, the colluding members choose α and β, where α differs from any of the colluding members’ secrets yi. To obtain S1, the colluding members choose γ. Let c satisfy γ^eR ≡ (c + b) (mod q₁q₂). Because solving b is infeasible (see Theorem 5.4.1 below), deriving such a c from γ^eR is infeasible. However, such a c must be used for S₂ = (g^β)^d(α+c) mod n by Eq. (5.2). But the colluding members do not know which c to use. Furthermore, by the DH problem assumption, computing (g^β)^d(α+c) mod n is

infeasible if (g^β)^dmod n and (g^β)^(α+c) mod n are known but d and α + c are unknown (here, we need g^d mod n). Accordingly, it is infeasible for the colluding members to obtain α, β, γ, and (g^β)^d(α+c) mod n simultaneously. Hence, the proposed signature scheme is coalition-resistant.

Theorem 5.4.1. Under the DL assumption, solving for b is infeasible for a group member even if he has access to other members’ secret keys and membership certifi-cates.

Proof. Suppose for contradiction that b can be solved. We next show that the discrete logarithm of S_b = g^b mod n with known q₁ and q₂ can be solved, contradicting the DL assumption. We simulate members’ secret keys and membership certificates as follows.

1. Choose y_i ∈_RZ_n such that gcd(y_i, q₁q₂) = 1.

2. Choose c⁰_i satisfying

(a) gcd((g^c0i/S_b mod n) + 1, n) = 1, (b) gcd((g^c0i/S_b mod n) − 1, n) = 1,

(c) (g^yi(g^c0i/S_b))^q1 6≡ 1 (mod n), (d) (g^yi(g^c0i/Sb))^q2 6≡ 1 (mod n).

Note that g^c0i/S_b = g^c0i−b (mod n) and c⁰_i plays the role of (c_i+ b) mod q₁q₂ in the Join phase. Conditions (a) and (b) ensure that gcd(c_i, q₁q₂) = 1 by Lemma 5.2.5, and conditions (c) and (d) ensure that gcd(y_i + c_i, q₁q₂) = 1 by Lemma 5.2.2. We now show that c⁰_i can be obtained efficiently. By Lemma 5.2.6 three consecutive integers satisfying conditions (a) and (b) can be obtained by testing at most nine consecutive integers. Then by Lemma 5.2.3, c⁰_i can be obtained by testing the three consecutive integers for conditions (c) and (d). With c⁰_i, members’ membership certificates are simulated as (x_i, v_i, w_i), where

xi = g^c0i/Sb mod n,

v_i = (c⁰_i)^dR mod q₁q₂, d_R∈_RZ^∗_φ(q1q2), w_i = (g^yix_i)^d mod n, d ∈_R Z^∗_q1q2.

Thus we can solve for b using the secret keys and membership certificates above.

5.5 Conclusions

Group undeniable signatures are like group signatures except that verifying signature needs the participation of the group manager. In this chapter, we employ signatures of knowledge and undeniable signature concepts to construct the first convertible group undeniable signature scheme in which the group manager can turn all or select group undeniable signatures into group signatures without compromising the security of the secret key used to generate signatures. The proposed scheme also allows the group manager to delegate the ability to confirm and deny signatures to trusted parties without providing them the capability of generating signatures. Moreover, the sizes of the group public key and signatures are independent of the group size.

This makes the system scalable. Under standard cryptographic assumptions and the random oracle model, the present scheme is proved to be anonymous, nontransferable, traceable, unforgeable, exculpable, and unlinkable. Furthermore, any colluding subset of group members cannot generate valid signatures that cannot be traced. Finally, the signature confirmation and denial protocols could be made zero-knowledge using the commitment techniques.

Concluding Remarks

Cryptology is a very important technology in electronic security systems. At the earliest stage of computer system development, protecting individual privacy and au-thenticity may be sufficient for ensuring information security. However, this becomes insufficient after the advent of computer networks. Networks bring many new types of relationships to computers and to the society, as well as many new sources and types of risks and threats. To cope with these new risks and threats, new methods for information protection are developed. Thus many forms of confidential commu-nication between two or more parties may be performed over an insecure computer network. In this thesis we present schemes for two new group-oriented applications: a fully public-key traitor-tracing scheme and a convertible group undeniable signature scheme. In addition, we study many basic cryptographic techniques that are essential when one constructs complex security systems.

For traitor-tracing applications, we propose a fully public-key traitor-tracing scheme in which every subscriber can prevent others, including the distributor, from learning his secret key. By the choice of parameters, our scheme can be plaintext-secure or semantically secure against a passive generic adversary. There are several desirable properties in our scheme.

1. Key longevity and subscribers’ anonymity are achieved.

2. It is a simple task for the distributor to recompute the encryption key if needed.

3. The tracing algorithm can capture all and only traitors even if the pirate decoder 116

is a black box.

For group undeniable signatures, we are the first to introduce the concept of such signatures. They are more suitable than group signatures in applications where signatures are generated for sensitive, nonpublic data. The first convertible group undeniable signature is proposed in which the group manager can turn select group undeniable signatures into group signatures without compromising the security of the secret key used to generate signatures. There are several desirable properties in the proposed scheme.

1. The group manager can delegate the ability to confirm and deny signatures to trusted parties without providing them the capability of generating signatures.

2. The sizes of the group public key and signatures are independent of the group size.

3. Under standard cryptographic assumptions and the random oracle model, our scheme is proved to be anonymous, nontransferable, traceable, unforgeable, exculpable, and unlinkable.

4. Any colluding subset of group members cannot generate valid signatures that cannot be traced.

5. The signature confirmation and denial protocols could be made zero-knowledge using the commitment techniques.

Further we list several relative problems that deserve to be studied in the future.

1. Key revocation for group (undeniable) signatures is important. When misusing anonymity, a cheating member must be revoked by the group manager, making him unable to sign in the future but without sacrificing the security of past group (undeniable) signatures. It is desirable to design an efficient group (un-deniable) signature scheme such that after key revocation, the private keys of the remaining members need not be changed.

2. In a group, a smart security policy is that a set of parties must cooperate in order to carry out some specific task. A typical example is the Shamir threshold

scheme [204]. Because different group may have different access strategies, it seems interesting to explore group-oriented encryption or signature schemes considered under various threshold situations.

3. In our fully public-key traitor-tracing scheme, the size of message transmission is dependent on the number of total subscribers. It is desirable to construct a scheme such that the size of message transmission is independent of the number of total subscribers.

[1] M. Agrawal, N. Kayal, and N. Saxena, “PRIMES in P,” 2002.

http://www.cse.iitk.ac.in/news/primality.html.

[2] A. V. Aho, J. E. Hopcroft, and J. D. Ullman, The Design and Analysis of Computer Algorithm. Addison-Wesley, 1974.

[3] R. Anderson and S. Vaudenay, “Minding your p’s and q’s,” in Advances in Cryptology—ASIACRYPT ’96, vol. 1163 of LNCS, pp. 26–35, Springer-Verlag, 1996.

[4] G. Ateniese, M. Joye, and G. Tsudik, “On the difficulty of coalition-resistant in group signature schemes,” in SCN’99, Second Workshop on Security in Com-munication Networks, 1999.

[5] G. Ateniese and G. Tsudik, “Some open issues and new directions in group sig-nature schemes,” in Financial Cryptography, FC’99, vol. 1648 of LNCS, pp. 196–

211, Springer-Verlag, 1999.

[6] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practical and provably secure coalition-resistant group signature scheme,” in Advances in Cryptology—

CRYPTO 2000, vol. 1880 of LNCS, pp. 255–270, Springer-Verlag, 2000.

[7] B. Barak, “How to go beyond the black-box simulation barrier,” in Proceed-ings of the 35th Annual Symposium on Foundations of Computer Science, FOCS ’01, pp. 106–115, IEEE Computer Society, 2001.

119

[8] M. Bellare and O. Goldreich, “On defining proofs of knowledge,” in Advances in Cryptology—CRYPTO ’92, vol. 740 of LNCS, pp. 390–420, Springer-Verlag, 1992.

[9] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for de-signing efficient protocols,” in CCS ’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73, ACM, 1993.

[10] M. Ben-Or, O. Goldreich, S. Goldwasser, J. H˚astad, J. Kilian, S. Micali, and P. Rogaway, “Everything provable, is provable in zero-knowledge,” in Advances in Cryptology—CRYPTO ’88, vol. 403 of LNCS, pp. 37–56, Springer-Verlag, 1990.

[11] M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation,” in Proceedings of the 20th Annual Symposium on Theory of Computing (STOC ’88), pp. 1–10, ACM Press, 1988.

[12] S. Berkovits, “How to broadcast A secret,” in Advances in Cryptology—

EUROCRYPT ’91, vol. 547 of LNCS, pp. 535–541, Springer-Verlag, 1991.

[13] D. Bleichenbacher, “Generating ElGamal signatures without knowing the secret key,” in Advances in Cryptology—EUROCRYPT ’96, vol. 1070 of LNCS, pp. 10–

18, Springer-Verlag, 1996.

[14] M. Blum, “Coin flipping by telephone: A protocol for solving impossible prob-lems,” in Proceedings of the 24th IEEE Computer Conference, IEEE COMP-CON, pp. 133–137, 1982.

[15] M. Blum, P. Feldman, and S. Micali, “Non-interactive zero-knowledge and its applications,” in Proceedings of the 20th Annual Symposium on Theory of Com-puting (STOC), pp. 103–112, ACM Press, 1988.

[16] C. Blundo and A. Cresti, “Space requirements for broadcast encryption,” in Advances in Cryptology—EUROCRYPT ’94, vol. 950 of LNCS, pp. 287–298, Springer-Verlag, 1994.

[17] C. Blundo, L. A. F. Mattos, and D. R. Stinson, “Trade-offs between communi-cation and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution,” in Advances in Cryptology—CRYPTO ’96, vol. 1109 of LNCS, pp. 387–400, Springer-Verlag, 1996.

[18] B. D. Boer, “Diffie-Hellman is as strong as discrete log for certain primes,”

in Advances in Cryptology—CRYPTO ’88, vol. 403 of LNCS, pp. 520–539, Springer-Verlag, 1990.

[19] D. Boneh and M. Franklin, “An efficient public key traitor tracing scheme,”

in Advances in Cryptology—CRYPTO ’99, vol. 1666 of LNCS, pp. 338–353, Springer-Verlag, 1999.

[20] D. Boneh and M. Franklin, “Anonymous authentication with subset queries,”

in CCS ’99, Proceedings of the 6th ACM Conference on Computer and Com-munications Security, pp. 113–119, ACM, 1999.

[21] A. Bosselaers, H. Dobbertin, and B. Preneel, “RIPEMD-160: A strengthened version of RIPEMD,” in Fast Software Encryption: Third International Work-shop, vol. 1039 of LNCS, pp. 71–82, Springer-Verlag, 1996.

[22] J. Boyar, D. Chaum, I. Damg˚ard, and T. Pederson, “Convertible undeniable sig-natures,” in Advances in Cryptology—CRYPTO ’90, vol. 537 of LNCS, pp. 189–

205, Springer-Verlag, 1991.

[23] C. Boyd, “Digital multisignatures,” in Cryptography and Coding, pp. 241–246, Oxford University Press, 1989.

[24] B. O. Brachtl, D. Coppersmith, M. M. Hyden, S. M. Matyas, C. H. Meyer, J. Oseas, S. Pilpel, and M. Schilling, “Data authentication using modification detection codes based on a public one-way encryption function.” U.S. Patent # 4,908,861, 13, Mar 1990, 1990.

[25] S. A. Brands, Rethinking Public Key Infrastructures and Digital Certificates.

MIT Press, Cambridge, Massachusetts, 2000.

[26] S. Brands, “An efficient off-line electronic cash system based on the represen-tation problem,” Tech. Rep. CS-R9323, CWI, 1993.

[27] G. Brassard, C. Chaum, and C. Crep´eau, “Minimum disclosure proofs of knowl-edge,” Journal of Computer and System Sciences, vol. 37, no. 2, pp. 156–189, 1988.

[28] G. Brassard, C. Cr´epeau, R. Jozsa, and D. Langlois, “A quantum bit commit-ment scheme provably unbreakable by both parties,” in Proceedings of the 34th Annual Symposium on Foundations of Computer Science, FOCS ’93, pp. 362–

371, IEEE Computer Society, 1993.

[29] G. Brassard, C. Cr´epeau, and J. M. Robert, “Information theoretic reductions among disclosure problems,” in Proceedings of the 27th Annual Symposium on Foundations of Computer Science, FOCS ’88, pp. 168–173, IEEE Computer Society, 1986.

[30] G. Brassard, C. Cr´epeau, and M. Yung, “Constant-round perfect zero-knowledge computationally convincing protocols,” Theoretical computer sci-ence, vol. 84, no. 1, pp. 23–52, 1991.

[31] G. Brassard and M. Yung, “One-way group actions,” in Advances in Cryptology—CRYPTO ’90, vol. 537 of LNCS, pp. 94–107, Springer-Verlag, 1991.

[32] E. F. Brickell, “A fast modular multiplication algorithm with application to two key cryptography,” in Advances in Cryptology: Proceedings of Crypto 82, pp. 51–60, Plenum Press, New York and London, 1983.

[33] J. A. Buchmann, Introduction to Cryptography. Springer-Verlag, 2000.

[34] J. Camenisch, Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. PhD thesis, ETH Zurich, 1998.

[35] J. Camenisch and M. Michels, “Separability and efficiency for generic group signature schemes,” in Advances in Cryptology—CRYPTO ’99, vol. 1666 of LNCS, pp. 413–430, Springer-Verlag, 1999.

[36] J. Camenisch and A. Lysyanskaya, “An efficient system for non-transferable anonymous credentials with optional anonymity revocation,” Report 2001/019, Cryptology ePrint Archive, Mar. 2001.

[37] J. Camenisch and A. Lysyanskaya, “An identity escrow scheme with appointed verifiers,” in Advances in Cryptology—CRYPTO 2001, vol. 2139 of LNCS, pp. 388–407, Springer-Verlag, 2001.

[38] J. Camenisch and M. Stadler, “Efficient group signature schemes for large groups (extended abstract),” in Advances in Cryptology—CRYPTO ’97, vol. 1294 of LNCS, pp. 410–424, Springer-Verlag, 1997.

[39] J. Camenish, “Efficient and generalized group signatures,” in Advances in Cryptology—EUROCRYPT ’97, vol. 1233 of LNCS, pp. 465–479, Springer-Verlag, 1997.

[40] R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Adaptive se-curity for threshold cryptosystems,” in Advances in Cryptology—CRYPTO ’99, vol. 1666 of LNCS, pp. 98–115, Springer-Verlag, 1999.

[41] R. Canetti, J. Kilian, E. Petrank, and A. Rosen, “Black-box concurrent zero-knowledge requires (almost) logarithmically many rounds,” SIAM Journal on Computing, vol. 32, no. 1, pp. 1–47, 2002. Preliminary version in STOC ’01.

[42] D. Chaum, C. Cr´epeau, and I. Damg˚ard, “Multi-party unconditionally secure protocols,” in Proceedings of the 20th Annual Symposium on Theory of Com-puting (STOC), pp. 11–19, ACM, 1988.

[43] D. Chaum, J.-H. Evertse, and J. van der Graaf, “An improved protocol for demonstrating possession of a discrete logarithm and some generalizations,” in Advances in Cryptology—EUROCRYPT ’87, vol. 304 of LNCS, pp. 127–141, Springer-Verlag, 1987.

[44] D. Chaum and E. v. Heyst, “Group signatures,” in Advances in Cryptology—

EUROCRYPT ’91, vol. 547 of LNCS, pp. 257–265, Springer-Verlag, 1991.

[45] D. Chaum and T. P. Pedersen, “Wallet databases with observers,” in Advances in Cryptology—CRYPTO ’92, vol. 740 of LNCS, pp. 89–105, Springer-Verlag, 1993.

[46] D. Chaum, E. van Heijst, and B. Pfitzmann, “Cryptographically strong un-deniable signatures, unconditionally secure for the signer,” in Advances in Cryptology—CRYPTO ’91, vol. 576 of LNCS, pp. 470–484, Springer-Verlag, 1991.

[47] D. Chaum, E. van Heijst, and B. Pfitzmann, “Cryptographically strong un-deniable signatures, unconditionally secure for the signer,” in Advances in Cryptology—CRYPTO ’91, vol. 576 of LNCS, pp. 470–484, Springer-Verlag, 1992.

[48] D. Chaum, “Zero-knowledge undeniable signatures,” in Advances in Cryptology—EUROCRYPT ’90, vol. 473 of LNCS, pp. 458–464, Springer-Verlag, 1991.

[49] D. Chaum, “Designated confirmer signatures,” in Advances in Cryptology—

EUROCRYPT ’94, vol. 950 of LNCS, pp. 86–91, Springer-Verlag, 1994.

[50] D. Chaum and J.-H. Evertse, “A secure and privacy-protecting protocol for transmitting personal information between organizations,” in Advances in Cryptology—CRYPTO ’86, vol. 263 of LNCS, pp. 118–167, Springer-Verlag, 1987.

[51] D. Chaum and H. van Antwerpen, “Undeniable signatures,” in Advances in Cryptology—CRYPTO ’89, vol. 435 of LNCS, pp. 212–216, Springer-Verlag, 1990.

[52] D. L. Chaum, “Security without identification: transaction systems to make big brother obsolete,” CACM, vol. 28, pp. 1030–1044, Oct. 1985.

[53] L. Chen, “Access with pseudonyms,” in Cryptography: Policy and Algorithms, vol. 1029 of LNCS, pp. 232–243, Springer-Verlag, 1995.

[54] L. Chen and T. Pesersen, “New group signature schemes,” in Advances in Cryptology—EUROCRYPT ’94, vol. 950 of LNCS, pp. 171–181, Springer-Verlag, 1995.

[55] L. Chen and T. P. Pedersen, “On the efficiency of group signatures providing information-theoretic anonymity,” in Advances in Cryptology—

EUROCRYPT ’95, vol. 921 of LNCS, pp. 39–49, Springer-Verlag, 1995.

[56] C. H. Chiou and W. T. Chen, “Secure broadcasting using the secure lock,”

IEEE Transactions on Software Engineering, vol. 15, no. 8, pp. 929–934, 1989.

[57] B. Chor, A. Fiat, and M. Naor, “Tracing traitors,” in Advances in Cryptology—

CRYPTO ’94, vol. 839 of LNCS, pp. 257–270, Springer-Verlag, 1994.

[58] B. Chor, A. Fiat, M. Naor, and B. Pinkas, “Tracing traitors,” IEEE Transac-tions on Information Theory, vol. 46, pp. 893–910, May 2000.

[59] H. Cohen, A Course in Computational Algebraic Number Theory, vol. 138 of Graduate Texts in Mathematics. Springer-Verlag, 1993.

[60] C. Cr´epeau, “Equivalence between two flavors of oblivious transfer,” in Ad-vances in Cryptology—CRYPTO ’87, vol. 293 of LNCS, pp. 350–354, Springer-Verlag, 1987.

[61] C. Cr´epeau and J. Kilian, “Achieving oblivious transfer using weakened security assumptions,” in Proceedings of the 29th Annual Symposium on Foundations of Computer Science, FOCS ’88, pp. 42–52, IEEE Computer Society, 1988.

[62] C. Cr´epeau, “Efficient cryptographic protocols based on noisy channels,” in Advances in Cryptology—EUROCRYPT ’97, vol. 1233 of LNCS, pp. 306–317, Springer-Verlag, 1997.

[63] I. Damg˚ard, The Application of Claw Free Functions in Cryptography. PhD thesis, Aarhus University, Mathematical Institute, 1988.

[64] I. Damg˚ard, “A design principle for hash functions,” in Advances in Cryptology—CRYPTO ’89, vol. 435 of LNCS, pp. 416–427, Springer-Verlag, 1990.

[65] I. Damg˚ard, J. Kilian, and L. Salvail, “On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions,” in Advances in Cryptology—CRYPTO ’99, vol. 1592 of LNCS, pp. 56–73, Springer-Verlag, 1999.

[66] I. Damg˚ard, T. P. Pedersen, and B. Pfitzmann, “On the existence of statis-tically hiding bit commitment schemes and fail-stop signatures,” Journal of Cryptology, vol. 10, no. 3, pp. 163–194, 1997.

[67] I. B. Damg˚ard, “Collision free hash functions and public key signatureschemes,”

in Advances in Cryptology—EUROCRYPT ’87, vol. 304 of LNCS, pp. 203–216, Springer-Verlag, 1988.

[68] I. Damg˚ard, “Commitment schemes and zero-knowledge protocols,” in Lectures on Data Security, vol. 1561 of LNCS, pp. 63–86, Springer-Verlag, 1999.

[69] I. Damg˚ard and E. Fujisaki, “A statistically-hiding integer commitment scheme based on groups with hidden order,” in Advances in Cryptology—ASIACRYPT 2002, vol. 2501 of LNCS, pp. 125–142, Springer-Verlag, 2002.

[70] I. Damg˚ard and T. P. Pedersen, “New convertible undeniable signature schemes,” in Advances in Cryptology—EUROCRYPT ’96, vol. 1070 of LNCS, pp. 372–386, Springer-Verlag, 1996.

[71] I. B. Damg˚ard, “Payment systems and credential mechanisms with provable se-curity against abuse by individuals,” in Advances in Cryptology—CRYPTO ’88, vol. 403 of LNCS, pp. 328–335, Springer-Verlag, 1990.

[72] R. W. Davies and W. L. Price, “Digital signature—an update,” in Proc. In-ternational Conference on Computer Communication, pp. 843–847, Elsevier, 1985.

[73] H. Delfs and H. Knebl, Introduction to Cryptography: Principles and Applica-tions. Springer-Verlag, 2002.

[74] B. den Boer and A. Bosselaers, “Collisions for the compression function of MD5,” in Advances in Cryptology—EUROCRYPT ’93, vol. 765 of LNCS, pp. 293–304, Springer-Verlag, 1994.

[75] Y. Desmedt and M. Yung, “Weakness of undeniable signature schemes,” in Ad-vances in Cryptology—CRYPTO ’91, vol. 576 of LNCS, pp. 205–220, Springer-Verlag, 1991.

[76] Y. Desmedt, “Society and group oriented cryptography: A new concept,” in Ad-vances in Cryptology—CRYPTO ’87, vol. 293 of LNCS, pp. 120–127, Springer-Verlag, 1988.

[77] Y. Desmedt and Y. Frankel, “Threshold cryptosystems,” in Advances in Cryptology—CRYPTO ’89, vol. 435 of LNCS, pp. 307–315, Springer-Verlag, 1990.

[78] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transac-tions on Information Theory, vol. IT-22, pp. 644–654, Nov. 1976.

[79] H. Dobbertin, “Cryptanalysis of MD4,” Journal of Cryptology, vol. 11, pp. 253–

271, 1998.

[80] H. Dobbertin, “Cryptanalysis of MD5 compress.” Presented at the Rump-session of EUROCRYPT ’96, 1996.

[81] D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptography,” in Pro-ceedings of the 23rd Annual Symposium on Theory of Computing (STOC ’91), pp. 542–552, ACM Press, 1991.

[82] D. Dolev, C. Dwork, and M. Naor, “Nonmalleable cryptography,” SIAM Jour-nal on Computing, vol. 30, no. 2, pp. 391–437, 2000.

[83] C. Dwork, M. Naor, and A. Sahai, “Concurrent zero knowledge,” in Proceedings of the 30th Annual Symposium on Theory Of Computing (STOC ’98), pp. 409–

418, ACM Press, 1998.

[84] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” in Advances in Cryptology — CRYPTO ’88, vol. 196 of LNCS, pp. 10–18, Springer-Verlag, 1985.

[85] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.

[86] S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,” CACM, vol. 28, pp. 637–647, 1985.

[87] U. Feige, A. Fiat, and A. Shamir, “Zero-knowledge proofs of identity,” Journal of Cryptology, vol. 1, no. 2, pp. 77–94, 1988.

[88] U. Feige and A. Shamir, “Witness indistinguishability and witness hiding pro-tocols,” in Proceedings of the 22nd Annual Symposium on Theory of Computing (STOC ’90), pp. 416–426, ACM Press, 1990.

[89] A. Fiat and M. Naor, “Broadcast encryption,” in Advances in Cryptology—

CRYPTO ’93, vol. 773 of LNCS, pp. 480–491, Springer-Verlag, 1993.

[90] A. Fiat and A. Shamir, “How to prove yourself: Practical solutions to iden-tification and signature problems,” in Advances in Cryptology—CRYPTO ’86, vol. 263 of LNCS, pp. 186–194, Springer-Verlag, 1987.

[91] FIPS 180-1, “Secure hash standard.” Federal Information Processing Standard Publication 180-1, NIST, US department of commerce, 1995.

[92] FIPS 180-2, “Secure hash standard.” Federal Information Processing Standard Publication 180-2 (Draft), NIST, US department of commerce, 2001.

[93] FIPS 186, “Digital signature standard.” Federal Information Processing Stan-dard Publication 186, NIST, US department of commerce, 1994.

[94] A. Fujioka, T. Okamoto, and K. Ohta, “Interactive bi-proof systems and un-deniable signature schemes,” in Advances in Cryptology—EUROCRYPT ’91, vol. 547 of LNCS, pp. 243–256, Springer-Verlag, 1991.

[95] E. Fujisaki and T. Okamoto, “Statistical zero-knowledge protocols to prove

[95] E. Fujisaki and T. Okamoto, “Statistical zero-knowledge protocols to prove

在文檔中 Group-oriented encryption and signature (頁 119-151)