Showing papers in "Journal of Cryptology in 1991"
TL;DR: An efficient algorithm that preprocesses the exponentiation of a random residue modulo p is presented, which improves the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures.
Abstract: We present a new public-key signature scheme and a corresponding authentication scheme that are based on discrete logarithms in a subgroup of units in ? p where p is a sufficiently large prime, e.g., p ? 2512. A key idea is to use for the base of the discrete logarithm an integer ? in ? p such that the order of ? is a sufficiently large prime q, e.g., q ? 2140. In this way we improve the ElGamal signature scheme in the speed of the procedures for the generation and the verification of signatures and also in the bit length of signatures. We present an efficient algorithm that preprocesses the exponentiation of a random residue modulo p.
2,869 citations
TL;DR: Computationally practical procedures are proposed for digital time-stamping of such documents so that it is infeasible for a user either to back-date or to forward-date his document, even with the collusion of a time-Stamping service.
Abstract: The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to time-stamp the data, not the medium. We propose computationally practical procedures for digital time-stamping of such documents so that it is infeasible for a user either to back-date or to forward-date his document, even with the collusion of a time-stamping service. Our procedures maintain complete privacy of the documents themselves, and require no record-keeping by the time-stamping service.
1,073 citations
IBM1
TL;DR: It is shown how a pseudorandom generator can provide a bit-commitment protocol and the number of bits communicated when parties commit to many bits simultaneously, and the assumption of the existence of pseudorRandom generators suffices to assure amortized O(1) bits of communication per bit commitment.
Abstract: We show how a pseudorandom generator can provide a bit-commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communication per bit commitment.
870 citations
TL;DR: The notion of relative resilience—a means to compare the security and fault-tolerance of one protocol with that of another in a formal manner—provides a key tool for understanding and proving protocol security.
Abstract: A multiparty protocol to compute a function f(x 1, ..., x n ) operates as follows: each of n processors holds an input x i , and jointly they must compute and reveal f(x 1, ..., x n ) without revealing any additional information about the inputs. The processors are connected by secure communication lines but some number of processors may be corrupted by a resource-unbounded adversary that may attempt to interfere with the protocol or to gain extra information. Ben-Or, Goldwasser, Wigderson, Chaum, Crepeau, and Damgard have given protocols tolerating faults in t
269 citations
TL;DR: In this article, the authors show a relationship between ideal secret sharing schemes and matroids, and show that the set of possible shares in a secret sharing scheme is matroid-like.
Abstract: In a secret sharing scheme a dealer has a secret key. There is a finite set P of participants and a set ? of subsets of P. A secret sharing scheme with ? as the access structure is a method which the dealer can use to distribute shares to each participant so that a subset of participants can determine the key if and only if that subset is in ?. The share of a participant is the information sent by the dealer in private to the participant. A secret sharing scheme is ideal if any subset of participants who can use their shares to determine any information about the key can in fact actually determine the key, and if the set of possible shares is the same as the set of possible keys. In this paper we show a relationship between ideal secret sharing schemes and matroids.
267 citations
TL;DR: This paper examines the development of a high-speed implementation of a system to perform exponentiation in fields of the form GF(2n) for sufficiently large n, which has applications in public-key cryptography.
Abstract: In this paper we examine the development of a high-speed implementation of a system to perform exponentiation in fields of the form GF(2 n ). For sufficiently large n, this device has applications in public-key cryptography. The selection of representation and observations on the structure of multiplication have led to the development of an architecture which is of low complexity and high speed. A VLSI implementation has being fabricated with measured throughput for exponentiation for cryptographic purposes of approximately 300 kilobits per second.
208 citations
TL;DR: It is demonstrated that widely known identification systems, such as the public-file-based Feige-Fiat-Shamir scheme, can be insecure if proper care is not taken with their implementation.
Abstract: In this paper we demonstrate that widely known identification systems, such as the public-file-based Feige-Fiat-Shamir scheme, can be insecure if proper care is not taken with their implementation. We suggest possible solutions. On the other hand, identity-based versions of the Feige-Fiat-Shamir scheme are conceptually more complicated than necessary.
103 citations
TL;DR: A statistical approach to cryptanalysis of a memoryless function of clock-controlled shift registers of zero-order correlation immunity and an algorithm for a shift register initial state reconstruction based on the sequence comparison concept are introduced.
Abstract: A statistical approach to cryptanalysis of a memoryless function of clock-controlled shift registers is introduced. In the case of zero-order correlation immunity, an algorithm for a shift register initial state reconstruction based on the sequence comparison concept is proposed. A constrained Levenshtein distance relevant for the cryptanalysis is defined and a novel recursive procedure for its efficient computation is derived. Preliminary experimental results are given and open theoretic problems are discussed.
94 citations
TL;DR: This paper uses a formal logic-based approach to protocol analysis to deal with protocols using public key cryptography, and with the notion of “duration” to capture some time-related aspects.
Abstract: In the quest for open systems, standardization of security mechanisms, framework, and protocols are becoming increasingly important. This puts high demands on the correctness of the standards. In this paper we use a formal logic-based approach to protocol analysis introduced by Burrows et al. [1]. We extend this logic to deal with protocols using public key cryptography, and with the notion of "duration" to capture some time-related aspects. The extended logic is used to analyse an important CCITT standard, the X.509 Authentication Framework. We conclude that protocol analysis can benefit from the use of the notation and that it highlights important aspects of the protocol analysed. Some aspects of the formalism need further study.
52 citations
TL;DR: The permutations are essentially generalizations of discrete exponentiation that rely on newly demonstrated correspondences between elements of elliptic curves and the integers.
Abstract: In recent years one-way functions have been shown to have important applications in cryptography, especially one-way functions that are also permutations. But even with the generality of this research, no function is known to be one-way and the few specific permutations believed to be one-way are all invertible in subexponential time. Elliptic curves offer new permutations that appear to require exponential time for inversion. The permutations are essentially generalizations of discrete exponentiation that rely on newly demonstrated correspondences between elements of elliptic curves and the integers.
47 citations
TL;DR: A complexity theoretic analysis relates the perfectness of the generator to the security of the RSA-scheme and a statistical analysis proves that the least-significant bits of P(x) (mod N) are statistically random.
Abstract: Let N be a positive integer and let P ? ? [x] be a polynomial that is nonlinear on the set ? N of integers modulo N. If, by choosing x at random in an initial segment of ? N , P(x) (mod N) appears to be uniformly distributed in ? N to any polynomial-time observer, then it is possible to construct very efficient pseudorandom number generators that pass any polynomial-time statistical test. We analyse this generator from two points of view. A complexity theoretic analysis relates the perfectness of the generator to the security of the RSA-scheme. A statistical analysis proves that the least-significant bits of P(x) (mod N) are statistically random.
TL;DR: In this article, a probabilistic polynomial-time prover with the appropriate trapdoor knowledge is sufficient to prove perfect or statistical zero-knowledge in all cases except one.
Abstract: New zero-knowledge proofs are given for some number-theoretic problems. All of the problems are in NP, but the proofs given here are much more efficient than the previously known proofs. In addition, these proofs do not require the prover to be superpolynomial in power. A probabilistic polynomial-time prover with the appropriate trapdoor knowledge is sufficient. The proofs are perfect or statistical zero-knowledge in all cases except one.
TL;DR: The “powerline system” is described, which is a modification of the Chor-Rivest system that does not have this shortcoming of the main difficulty in implementing their system, the computation of discrete logarithms in large finite fields.
Abstract: Among all public-key cryptosystems that depend on the knapsack problem, the system proposed by Chor and Rivest (IEEE Trans. Inform. Theory 34 (1988), 901---909) is one of the few that have not been broken. The main difficulty in implementing their system is the computation of discrete logarithms in large finite fields. In this note we describe the "powerline system," which is a modification of the Chor-Rivest system that does not have this shortcoming. The powerline system, which is not a knapsack system, is at least as secure as the original Chor-Rivest system.
TL;DR: The concept of provable cryptographic security for pseudorandom number generators that was introduced by Schnorr is investigated and extended and the concept of perfect local randomness of a sequence generator is introduced.
Abstract: The concept of provable cryptographic security for pseudorandom number generators that was introduced by Schnorr is investigated and extended. The cryptanalyst is assumed to have infinite computational resources and hence the security of the generators does not rely on any unproved hypothesis about the difficulty of solving a certain problem, but rather relies on the assumption that the number of bits of the generated sequence the enemy can access is limited. The concept of perfect local randomness of a sequence generator is introduced and investigated using some results from coding theory. The theoretical and practical cryptographic implications of this concept are discussed. Possible extensions of the concept of local randomness as well as some applications are proposed.
TL;DR: It is argued that the Mordell group of an elliptic curve is more suitable than the multiplicative group of a finite field for the construction of a hard cryptographic suite of problems.
Abstract: In [2] the authors show how to construct the building blocks for perfect zero-knowledge proofs called "blobs" using the discrete log problem. Contrary to what they remark on p. 73 of [2], we argue that the Mordell group of an elliptic curve is more suitable than the multiplicative group of a finite field for the construction of a hard cryptographic suite of problems.
TL;DR: Several new constructions for authentication/secrecy codes with splitting, derived from finite incidence structures such as partial geometries and affine resolvable designs are given, some of which are attained with equality.
Abstract: We investigate authentication codes with splitting, using the mathematical model introduced by Simmons. Besides an overview of the existing bounds, we obtain some new bounds for the probability of deception of the transmitter/ receiver in case of an impersonation or substitution game. We also prove some new bounds for a "spoofing attack of order L." Further, we give several new constructions for authentication/secrecy codes with splitting, derived from finite incidence structures such as partial geometries and affine resolvable designs. In some of these codes the bounds are attained with equality.
TL;DR: The mail processing automation problem is present, and the protocol solution and characteristics of the proposed cryptographic CRYPTOPOST™ system are described.
Abstract: A public key cryptography protocol is designed for the authentication of documents. When applied to the authentication of postage on mail envelopes it permits the development of a universal automated and standardized mail processing and postage verification system. The mail processing automation problem is present, and the protocol solution and characteristics of the proposed cryptographic CRYPTOPOST system are described. Partial details of one implementation are disclosed.
IBM1
TL;DR: A method is presented for controlling cryptographic key usage based on control vectors and the use of control vectors in cryptosystems based on the Data Encryption Algorithm.
Abstract: A method is presented for controlling cryptographic key usage based on control vectors. Each cryptographic key has an associated control vector that defines the permitted uses of the key within the cryptographic system. At key generation, the control vector is cryptographically coupled to the key by way of a special encryption process. Each encrypted key and control vector are stored and distributed within the cryptographic system as a single token. Decryption of a key requires respecification of the control vector. As part of the decryption process, the cryptographic hardware verifies that the requested use of the key is authorized by the control vector. This article focuses mainly on the use of control vectors in cryptosystems based on the Data Encryption Algorithm.