Showing papers in "Journal of Cryptology in 1988"
TL;DR: The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively, and can be adapted to address efficiently a wide variety of practical considerations.
Abstract: Keeping confidential who sends which messages, in a world where any physical transmission can be traced to its origin, seems impossible. The solution presented here is unconditionally or cryptographically secure, depending on whether it is based on one-time-use keys or on public keys, respectively. It can be adapted to address efficiently a wide variety of practical considerations.
1,513 citations
TL;DR: This paper defines the definition of unrestricted input zero- knowledge proofs of knowledge in which the prover demonstrates possession of knowledge without revealing any computational information whatsoever (not even the one bit revealed in zero-knowledge proofs of assertions).
Abstract: In this paper we extend the notion of interactive proofs of assertions to interactive proofs of knowledge. This leads to the definition of unrestricted input zero-knowledge proofs of knowledge in which the prover demonstrates possession of knowledge without revealing any computational information whatsoever (not even the one bit revealed in zero-knowledge proofs of assertions). We show the relevance of these notions to identification schemes, in which parties prove their identity by demonstrating their knowledge rather than by proving the validity of assertions. We describe a novel scheme which is provably secure if factoring is difficult and whose practical implementations are about two orders of magnitude faster than RSA-based identification schemes. The advantages of thinking in terms of proofs of knowledge rather than proofs of assertions are demonstrated in two efficient variants of the scheme: unrestricted input zero-knowledge proofs of knowledge are used in the construction of a scheme which needs no directory; a version of the scheme based on parallel interactive proofs (which are not known to be zero knowledge) is proved secure by observing that the identification protocols are proofs of knowledge.
1,187 citations
TL;DR: This paper demonstrates that Shamir's scheme is not secure against certain forms of cheating, and a small modification to his scheme retains the security and efficiency of the original and preserves the property that its security does not depend on any unproven assumptions such as the intractability of computing number-theoretic functions.
Abstract: This paper demonstrates that Shamir’s scheme (“How to share a secret”, Communications of the ACM, vol. 22, no. 11, November 1979, 612–613) is not secure against cheating. A small modification to his scheme retains the security and efficiency of the original, is secure against cheating, and preserves the property that its security does not depend on any unproven assumptions such as the intractability of computing number-theoretic functions.
407 citations
TL;DR: Using these keys in the ElGamal public-key cryptosystem provides a scheme for which the decryption of a message requires the ability to factor the modulus and break the original Diffie and Hellman scheme.
Abstract: We propose a variation of the Diffie and Hellman key distribution scheme for which we can prove that decryption of a single key requires the ability to factor a number that is the product of two large primes. The practical advantage of such a scheme is that it will still be secure if the cryptanalyst knows a very fast algorithm for either factoring or computing discrete logarithms, but not for both. Using these keys in the ElGamal public-key cryptosystem provides a scheme for which the decryption of a message requires the ability to factor the modulus and break the original Diffie and Hellman scheme.
180 citations
TL;DR: Another key-exchange system is described which, while based on the general idea of the well-known scheme of Diffie and Hellman, seems to be more secure than that technique.
Abstract: We describe another key-exchange system which, while based on the general idea of the well-known scheme of Diffie and Hellman, seems to be more secure than that technique. The new system is based on the arithmetic of an imaginary quadratic field, and makes use, specifically, of the properties of the class group of such a field.
138 citations
TL;DR: Two statistical tests are presented for determining if an indexed set of permutations acting on a finite message space forms a group under functional composition, and experiments show, with overwhelming confidence, that DES is not a group.
Abstract: The Data Encryption Standard (DES) defines an indexed set of permutations acting on the message space ℳ ={0,1}64. If this set of permutations were closed under functional composition, then the two most popular proposals for strengthening DES through multiple encryption would be equivalent to single encryption. Moreover, DES would be vulnerable to a known-plaintext attack that runs in 228 steps on the average. It is unknown in the open literature whether or not DES has this weakness.
79 citations
69 citations
TL;DR: A construction is described for a code which achieves these goals, and which does so with the minimum possible number of encoding rules (namely, v·(v−1)/2), which uses a structure from combinatorial design theory known as a perpendicular array.
Abstract: If we agree to use one ofv possible messages to communicate one ofk possible source states, then an opponent can successfully impersonate a transmitter with probability at leastk/v, and can successfully substitute a message with a fraudulent one with probability at least (k−1)/(v−1). We wish to limit an opponent to these bounds. In addition, we desire that the observation of any two messages in the communication channel will give an opponent no clue as to the two source states. We describe a construction for a code which achieves these goals, and which does so with the minimum possible number of encoding rules (namely,v·(v−1)/2). The construction uses a structure from combinatorial design theory known as a perpendicular array.
53 citations
TL;DR: The question of how reliable Rabin's test is when used to generate a random integer that is probably prime, rather than to test a specific integer for primality, is investigated.
Abstract: In this paper we make two observations on Rabin's probabilistic primality test. The first is a provocative reason why Rabin's test is so good. It turned out that a single iteration has a nonnegligible probability of failing only on composite numbers that can actually be split in expected polynomial time. Therefore, factoring would be easy if Rabin's test systematically failed with a 25% probability on each composite integer (which, of course, it does not). The second observation is more fundamental because it is not restricted to primality testing: it has consequences for the entire field of probabilistic algorithms. The failure probability when using a probabilistic algorithm for the purpose of testing some property is compared with that when using it for the purpose of obtaining a random element hopefully having this property. More specifically, we investigate the question of how reliable Rabin's test is when used to generate a random integer that is probably prime, rather than to test a specific integer for primality.
36 citations
TL;DR: Here it is shown that Hellman's result holds with no restrictions on the distribution of keys and messages, and the results are obtained through very simple purely information theoretic arguments, with no need for (explicit) counting arguments.
Abstract: In his landmark 1977 paper [2], Hellman extends the Shannon theory approach to cryptography [3] In particular, he shows that the expected number of spurious key decipherments on lengthn messages is at least 2
H(K)−nD
−1 forany uniquely encipherable, uniquely decipherable cipher, as long as each key is equally likely and the set of meaningful cleartext messages follows a uniform distribution (whereH(K) is the key entropy andD is the redundancy of the source language) Here we show that Hellman's result holds with no restrictions on the distribution of keys and messages We also bound from above and below the key equivocation upon seeing the ciphertext The results are obtained through very simple purely information theoretic arguments, with no need for (explicit) counting arguments
18 citations