Showing papers on "Cryptography published in 1989"
PARC1
TL;DR: A practical digital signature system based on a conventionalryption function which is as secure as the conventional encryption function is described, without the several years delay required for certification of an untested system.
Abstract: A practical digital signature system based on a conventional encryption function which is as secure as the conventional encryption function is described. Since certified conventional systems are available it can be implemented quickly, without the several years delay required for certification of an untested system.
1,746 citations
Proceedings Article•
01 Jul 1989
TL;DR: In this paper, practical non-interactive public key systems are proposed which allow the reuse of the shared secret key since the key is not revealed either to insiders or to outsiders.
Abstract: In a society oriented cryptography it is better to have a public key for the company (organization) than having one for each individual employee [Des88]. Certainly in emergency situations, power is shared in many organizations. Solutions to this problem were presented [Des88], based on [GMW87], but are completely impractical and interactive. In this paper practical non-interactive public key systems are proposed which allow the reuse of the shared secret key since the key is not revealed either to insiders or to outsiders.
1,088 citations
TL;DR: This paper shows how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs, and explains the formalism used to isolate and express these differences with a precision that was not previously possible.
Abstract: Questions of belief are essential in analysing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis: we show how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and their authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with shared-key cryptography and with public-key cryptography. Some of the examples are chosen because of their practical importance, whereas others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice; for example, to account for the use of hash functions in signatures. The final sections contain a formal semantics of the logic and some conclusions.
492 citations
TL;DR: The authors discuss secure broadcasting, effected by means of a secure lock, on broadcast channels, such as satellite, radio, etc, implemented by using the Chinese Remainder theorem (CRT).
Abstract: The authors discuss secure broadcasting, effected by means of a secure lock, on broadcast channels, such as satellite, radio, etc. This lock is implemented by using the Chinese Remainder theorem (CRT). The secure lock offers the following advantages: only one copy of the ciphertext is sent; the deciphering operation is efficient; and the number of secret keys held by each user is minimized. Protocols for secure broadcasting using the secure lock, based on the public-key cryptosystem as well as the private-key cryptosystem, are presented. >
284 citations
TL;DR: An ID-based cryptosystem based on the discrete logarithm problem is proposed which is one of the earliest realizations in Shamir's sense and the security against a conspiracy of some entities in the proposed system is considered, along with the possibility of establishing a more secure system.
Abstract: In a modern network system, data security technologies such as cryptosystems, signature schemes, etc., are indispensable for reliable data transmission. In particular, for a large-scale network, ID-based systems such as the ID-based cryptosystem, the ID-based signature scheme, or the ID-based key distribution system are among the better countermeasures for establishing efficient and secure data transmission systems. The concept of an ID-based cryptosystem has been proposed by A. S?hamir (1985), and it is advantageous to public-key cryptosystems because a large public-key file is not required for such a system. An ID-based cryptosystem based on the discrete logarithm problem is proposed which is one of the earliest realizations in Shamir's sense. The security against a conspiracy of some entities in the proposed system is considered, along with the possibility of establishing a more secure system. >
202 citations
Proceedings Article•
[...]
01 Jul 1989
TL;DR: A variant of the RSA algorithm called Batch RSA with two important properties: the cost per private operation is exponentially smaller than other number-theoretic schemes and the possibility of using a distributed BATCH RSA process that isolates the private key from the system, irrespective of the size of the System, the number of sites, or thenumber of private operations that need to be performed.
Abstract: Number theoretic cryptographic algorithms are all based upon modular multiplication modulo some composite or prime. Some security parameter n is set (the length of the composite or prime). Cryptographic functions such as digital signature or key exchange require O(n) or O(?n) modular multiplications ([DH, RSA, R, E, GMR, FS], etc.).This paper proposes a variant of the RSA scheme which requires only polylog(n) (O(log2 n)) modular multiplications per RSA operation. Inherent to the scheme is the idea of batching, i.e., performing several encryption or signature operations simultaneously. In practice, the new variant effectively performs several modular exponentiations at the cost of a single modular exponentiation. This leads to a very fast RSA-like scheme whenever RSA is to be performed at some central site or when pure-RSA encryption (vs. hybrid encryption) is to be performed.An important feature of the new scheme is a practical scheme that isolates the private key from the system, irrespective of the size of the system, the number of sites, or the number of private operations that need be performed.
198 citations
01 Jul 1989
TL;DR: A key distribution protocol is proposed for digital mobile communication systems that can be used with a star-type network and a countermeasure is proposed to cope with a possible active attack by a conspiracy of two opponents.
Abstract: A key distribution protocol is proposed for digital mobile communication systems. The protocol can be used with a star-type network. User terminals have a constraint of being hardware-limited.Security of the protocol is discussed. A countermeasure is proposed to cope with a possible active attack by a conspiracy of two opponents.
192 citations
20 Aug 1989
TL;DR: In this paper, the authors constructed several block ciphers which have the following ideal properties: (1) the cipher is provably secure, (2) security of the cipher does not depend on any unproved hypotheses, (3) it can be easily implemented with current technology, and (4) all design criteria for the cipher are made public.
Abstract: One of the ultimate goals of cryptography researchers is to construct a (secrete-key) block cipher which has the following ideal properties: (1) The cipher is provably secure, (2) Security of the cipher does not depend on any unproved hypotheses, (3) The cipher can be easily implemented with current technology, and (4) All design criteria for the cipher are made public. It is currently unclear whether or not there really exists such an ideal block cipher. So to meet the requirements of practical applications, the best thing we can do is to construct a block cipher such thai it approximates the ideal one as closely as possible. In this paper, we make a significant step in this direction. In particular, we construct several block ciphers each of which has the above mentioned properties (2), (3) and (4) as well as the following one: (1’) Security of the cipher is supported by convincing evidence. Our construction builds upon profound mathematical bases for information security recently established in a series of excellent papers.
190 citations
Book•
01 Nov 1989TL;DR: Data security ciphers and their properties the data encryption standard using block cipher in practice authentication and integrity key management identity verification public key Ciphers digital signatures electronic funds transfer and the intelligent token data security standards as discussed by the authors.
Abstract: Data security ciphers and their properties the data encryption standard using block cipher in practice authentication and integrity key management identity verification public key ciphers digital signatures electronic funds transfer and the intelligent token data security standards.
178 citations
01 May 1989
TL;DR: In this paper, the authors describe the use of cryptographic authentication for controlling computer viruses, which relies on a trusted device, the authenticator, used to authenticate and update programs and convert programs between the various formats.
Abstract: The author describes the use of cryptographic authentication for controlling computer viruses. The objective is to protect against viruses infecting software distributions, updates, and programs stored or executed on a system. The authentication determines the source and integrity of an executable, relying on the source to produce virus-free software. The scheme relies on a trusted (and verifiable, where possible) device, the authenticator, used to authenticate and update programs and convert programs between the various formats. In addition, each user's machine uses a similar device to perform run-time checking. >
167 citations
NEC1
TL;DR: A key distribution system (KDS) based on identification information (ID-based KDS) is presented, which is founded on the Diffie-Hellman public key distribution scheme and has an identity authentication function.
Abstract: A key distribution system (KDS) based on identification information (ID-based KDS) is presented. The system is founded on the Diffie-Hellman public key distribution scheme and has an identity authentication function. It uses an individual user's identification information instead of the public file used in the Diffie-Hellman scheme. It does not require any services of a center to distribute work keys or users to keep directories of key-encrypting keys. Therefore, key management in cryptosystems can be simplified by adopting the ID-based KDS. Two kinds of identity-based key distribution system are proposed and applied to actual communication networks. One uses two-way (interactive) communication to distribute work keys, while the other uses one-way communication. Modular exponentiations of large numbers, used in the systems, are implemented with digital signal processors. >
Proceedings Article•
01 Jan 1989
TL;DR: It is shown that many of the standard cryptographic tasks are equivalent to the usual definition of a one-way function, and thus the security of any proposed protocol for these tasks is implicitly based on a function being 'one-way.
Abstract: It is shown that many of the standard cryptographic tasks are equivalent to the usual definition of a one-way function. In particular, it is shown that for some of the standard cryptographic tasks any secure protocol for the task can be converted into a one-way function in the usual sense, and thus the security of any proposed protocol for these tasks is implicitly based on a function being 'one-way.' Thus, the usual definition of a one-way function is robust; any one-way function with respect to another definition on which a secure cryptographic protocol can be based can be used to construct a one-way function in the usual sense. The authors focus on private-key encryption, identification/authentication, bit commitment, and coin flipping by telephone. However, the proof techniques presented here can be easily adopted to prove analogous results for other cryptographic tasks.<>
20 Aug 1989
TL;DR: A new untraceable electronic cash scheme satisfying both untraceability and unreusablity is proposed, which overcomes the problems of the previous scheme proposed by Chaum, Fiat and Naor through its greater efficiency and provable security under reasonable cryptographic assumptions.
Abstract: In this paper, we propose a new type of authentication system, disposable zero-knowledge authentication system. Informally speaking, in this authentication system, double usage of the same authentication is prevented. Based on these disposable zero-knowledge authentication systems, we propose a new untraceable electronic cash scheme satisfying both untraceability and unreusablity. This scheme overcomes the problems of the previous scheme proposed by Chaum, Fiat and Naor through its greater efficiency and provable security under reasonable cryptographic assumptions. We also propose a scheme, transferable untraceable electronic cash scheme, satisfying transferability as well as the above two criteria, whose properties have not been previously proposed in any other scheme. Moreover, we also propose a new type of electronic cash, untraceable electronic coupon ticket, in which the value of one piece of the electronic cash can be subdivided into many pieces.
TL;DR: Methods of implementing public key algorithms based on modular integer arithmetic (RSA) and finite-field arithmetic (Diffie-Hellman, El Gamal) and architecture for VLSI implementations are examined.
Abstract: Methods of implementing public key algorithms based on modular integer arithmetic (RSA) and finite-field arithmetic (Diffie-Hellman, El Gamal) are examined. Architectures for VLSI implementations are emphasized. >
TL;DR: A function based on chaos theory for generating sequences of random numbers to be used like a one-time pad, but the cycle length turns out to be unpredictable and often short.
Abstract: Matthews [1] has proposed a function based on chaos theory for generating sequences of random numbers to be used like a one-time pad. When implemented on digital computer systems, these functions must produce repeating cycles of values. The cycle length turns out to be unpredictable and often short. The function is not suitable for cryptographic use in the manner proposed by Matthews.
Journal Article•
[...]
TL;DR: The author briefly reviews earlier uses of number theory and then examines recent applications to music, cryptography, and error-correction codes.
Abstract: Number theory, an abstract branch of mathematics that deals with relationships between whole numbers, has provided highly useful answers to numerous real-world problems. The author briefly reviews earlier uses of number theory and then examines recent applications to music, cryptography, and error-correction codes. >
20 Aug 1989
TL;DR: In this paper, the authors proposed a new zero knowledge identification scheme, which is even faster than the Fiat-Shamir scheme, using a small number of communicated bits, simple 8-bit arithmetic operations, and compact public and private keys.
Abstract: In 1985 Goldwasser Micali and Rackoff proposed a new type of interactive proof system which reveals no knowledge whatsoever about the assertion except its validity. The practical significance of these proofs was demonstrated in 1986 by Fiat and Shamir, who showed how to use efficient zero knowledge proofs of quadratic residuosity to establish user identities and to digitally sign messages. In this paper we propose a new zero knowledge identification scheme, which is even faster than the Fiat-Shamir scheme, using a small number of communicated bits, simple 8-bit arithmetic operations, and compact public and private keys. The security of the new scheme depends on an NP-complete algebraic problem rather than on factoring, and thus it widens the basis of public key cryptography, which has become dangerously dependent on the difficulty of a single problem.
20 Aug 1989
TL;DR: The purpose of this paper is to briefly describe some of the different compu- tational algorithms that have been used in the chip designs and to provide a list of all of the currently available chips.
Abstract: Today, a dozen years after the discovery of the RSA encryption algorithm [12], there are many chips available for performing RSA encryption [1] [3] [4] [5] [8] [9] [13] [15]. The purpose of this paper is to briefly describe some of the different compu- tational algorithms that have been used in the chip designs and to provide a list of all of the currently available chips. In this abstract, we will simply mention some of these computational algorithms and give references. The full paper will contain more details of these algorithms and will appear in a book on survey articles in Cryptology which is being edited by Gus Simmons and will be published by IEEE in 1990.
Patent•
IBM1
TL;DR: In this paper, the authors propose a control vector which provides the authorization for the uses of the data cryptography key intended by the originator of the key, among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data.
Abstract: Data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorization for the uses of the key intended by the originator of the key. Among the uses specified by the control vector are limitations on encryption, decryption, authentication code generation and verification, translation of the user's data. Complex combinations of data manipulation functions are possible using the control vectors, in accordance with the invention. The system administrator can exercise flexibility in changing the implementation of his security policy by selecting appropriate control vectors in accordance with the invention. Complex scenarios such as encrypted mail box, session protection, file protection, ciphertext translation center, peer-to-peer ciphertext translation, message authentication, message authentication with non-repudiation and many others can be easily implemented by a system designer using the control vectors, in accordance with the invention.
01 Sep 1989
TL;DR: The possibility of integrating human visual intelligence into the process of encrypting sensitive information by presenting certain visual information to the recipient's eye is discussed, which adds a new dimension to the cryptocomplexity of such a process.
Abstract: The possibility of integrating human visual intelligence into the process of encrypting sensitive information by presenting certain visual information to the recipient's eye is discussed. This adds a new dimension to the cryptocomplexity of such a process. Two implementations are based on this principle are described. The first shows how keys used for encryption can be randomly generated by the transmitter, without the necessity of exchanging them with the legitimate recipient. The keys are 'embedded' in a master key and are recovered from it by the intelligence of the legitimate recipient after he or she uses the master key. No human intelligence can be helpful to a user who does not possess the master key. The second implementation concerns the possibility of creating a secret connection between a numerical key and a specific image (e.g. a face). Such a scheme can be used, for example, in validating the identity of the users of credit cards. >
TL;DR: An approach to private-key cryptosystems is proposed which allows use of very simple codes of distance, and it is shown that this approach can be used to solve the challenge of verifying identity of Turing-complete systems.
Abstract: An approach to private-key cryptosystems is proposed which allows use of very simple codes of distance >
TL;DR: A modified scheme is proposed, based on the RSA scheme, which will allow any number of users to sign a document and send it secretly to the receiver, where the length of ciphertext remains constant, no matter how great the number of signatories.
Abstract: When two individual users wish to carry on a secure conversation, they can use the well-known RSA public key cryptosystem in doing so. This cryptosystem provides to these users both data secrecy and digital signature in a very efficient manner. However, in many applications, multiple users need to sign a document. In this letter, we propose a modified scheme, based on the RSA scheme, which will allow any number of users to sign a document and send it secretly to the receiver. The length of ciphertext remains constant, no matter how great the number of signatories. The trade-off is that the processing times required for generating the multisignature, and for verifying multisignatures, depend on the number of signatories.
01 Jul 1989
TL;DR: This work proposes relaxed criteria for the security of KDS, and presents a system which meets most of the criteria, and gives evidence that one of the variants has super-polynomial security against any malicious adversary, assuming RSA modulus is hard to factor.
Abstract: Zero Knowledge (ZK) theory formed the basis for practical identification and signature cryptosysems (invented by Fiat and Shamir). It also was used to construct a key distribution scheme (invented by Bauspiess and Knobloch); however, it seems that the ZK concept is less appropriate for key distribution systems (KDS), where the main cost is the number of communications. We propose relaxed criteria for the security of KDS, which we assert are sufficient, and present a system which meets most of the criteria. Our system is not ZK (it leaks few bits), but in return it is very simple. It is a Diffie-Hellman variation. Its security is equivalent to RSA, but it runs faster.Our definition for the surity of KDS is based on a new definition of security for one-way functions recently proposed by Goldreich and Levin. For a given system and given cracking-algorithm, I, the cracking rate is roughly the average of the inverse of the running-time over all instances (if on some instance it fails, that inverse is zero). If there exists a function s :N?N, s.t. for all I, the cracking-rate for security parameter n is O (1)/s (n). then we say that the system has at least security s. We use this concept to define the security of KDS for malicious adversary (the passive adversary is a special case). Our definition of a malicious adversary is relatively restricted, but we assert it is general enough for KDS. This restriction enables the proof of security results for simple and practical systems, We further modify the definition to allow past keys-and their protocol messages in the input data to a cracking algorithm. The resulting security function is called the "amortized security" of the system. This is justified by current usage of KDS, where the keys are often used with cryptosystems of moderate strength. We demonstrate the above properties on some Diffie-Hellman KDS variants which also authenticate the parties. In particular, we give evidence that one of the variants has super-polynomial security against any malicious adversary, assuming RSA modulus is hard to factor. We also give evidence that its amortized security is super-polynomial. (Ihe original DH scheme does not authenticate, and the version with public directory has a fixed key, i.e. rem amortized security.).
Patent•
IBM1
TL;DR: In this paper, data cryptography is achieved in an improved manner by associating with the data cryptography key, a control vector which provides the authorisation for the uses of the key intended by the originator.
Abstract: Data cryptography is achieved in an improved manner by associating with the
data cryptography key, a control vector which provides the authorisation for
the uses of the key intended by the originator of the key. Among the uses
specified by the control vector are limitations on encryption, decryption,
authentication code generation and verification, translation of the user's
data. Complex combinations of data manipulation functions are possible
using the control vectors, in accordance with the invention. The system
administrator can exercise flexibility in changing the implementation of his
security policy by selecting appropriate control vectors in accordance with
the invention. Complex scenarios such as encrypted mail box, session
protection, file protection, ciphertext translation centre, peer-to-peer
ciphertext translation, message authentication, message authentication with
non-repudiation and many others can be easily implemented by a system
designer using the control vectors, in accordance with the invention.
NEC1
TL;DR: A network information security management system which authenticates and/or encrypts messages is proposed and both authentication and key distribution are executed in a simple scheme.
Abstract: A network information security management system which authenticates and/or encrypts messages is proposed. Both authentication and key distribution are executed in a simple scheme. Once the system is set up, the transactions are done independently by the users involved, yet the amount of information that users must keep is small. The experimental implementation of the system on a personal computer network, using IC cards (smart cards) and digital signal processors, is described. The signal processors shorten calculation time and make the concept practical. >
TL;DR: The optimal values of the parameters of the McEliece public-key cryptosystem are computed and it is shown that use of these values improves the cryptoanalytic complexity of the system and decreases its data expansion.
Abstract: The optimal values of the parameters of the McEliece public-key cryptosystem are computed. It is shown that use of these values improves the cryptoanalytic complexity of the system and decreases its data expansion. It is shown that the likelihood of the existence of more than one trapdoor in the system is very small. >
TL;DR: In this paper, a hierarchical approach for key management is presented which utilizes the existing network specific protocols at the lower levels and protocols between authentication servers and/or control centers of different networks at the higher levels.
Abstract: A hierarchical approach for key management is presented which utilizes the existing network specific protocols at the lower levels and protocols between authentication servers and/or control centers of different networks at the higher levels. Details of this approach are discussed for specific illustrative scenarios to demonstrate the implementation simplicity. A formal verification of the security of the resulting system in the sense of protecting the privacy of privileged information is also conducted by an axiomatic procedure utilizing certain combinatory logic principles. This approach is general and can be used for verifying the security of other existing key management schemes. >
20 Aug 1989
TL;DR: In this article, the authors present a multiparty-computation protocol based on two kinds of assumptions: (a) public-key cryptography; and (b) limited collusion in a setting where pairs of participants can exchange messages with secret and authenticated content.
Abstract: A multiparty-computation protocol allows each of a set of participants to provide secret input to a mutually agreed computation. Such protocols enforce two security properties: (1) secrecy of the inputs, apart from what is revealed by the output; and (2) correctness of the output, as defined by the agreed computation. All solutions, including those presented here, are based on two kinds of assumptions: (a) public-key cryptography; and (b) limited collusion in a setting where pairs of participants can exchange messages with secret and authenticated content. Some of the previous solutions relied totally on assumption (a), the others totally on (b).
01 May 1989
TL;DR: Two new algorithms that facilitate the implementation of RSA in software are described, essentially concerned with performing modular arithmetic operations on very large numbers, which could be of potential use to applications other than RSA.
Abstract: Two new algorithms that facilitate the implementation of RSA in software are described. Both algorithms are essentially concerned with performing modular arithmetic operations on very large numbers, which could be of potential use to applications other than RSA. One algorithm performs modular reduction and the other performs modular multiplication. Both algorithms are based on the use of look-up tables to enable the arithmetic computations to be done on a byte by byte basis.