C.P. Schnorr, "Efficient identification and signatures for smart cards", Advances in Cryptology - Crypto 89, G. Brassard (ed.), Lecture Notes in Computer Science 435, 239-251, Springer-Verlag (1990).  Home/Search   Document Not in Database   Summary   Related Articles   Check

....s) is Alice s signature on ,r, by checking whether fiaasa( y. r s rood p is satisfied. Since its publication in 1985, ElGinhal signature lt;k received extensive scrutiny by the research community. In addition, it tttk bccn generalized and adapted to numerous different forms (see for instmtcc [23, 4, 18, 20] and especially [11] where an exhaustive survey of some 13000 E1GamM based signatures has bccn carried out. Two notable variants of E1Gamal signature arc Schnorr signa ture [23] and DSS or Digital Signature Standard [18] With DSS, g is an integer in [1, p 1] with order q modulo p, where q ....

....community. In addition, it tttk bccn generalized and adapted to numerous different forms (see for instmtcc [23, 4, 18, 20] and especially [11] where an exhaustive survey of some 13000 E1GamM based signatures has bccn carried out. Two notable variants of E1Gamal signature arc Schnorr signa ture [23] and DSS or Digital Signature Standard [18] With DSS, g is an integer in [1, p 1] with order q modulo p, where q is a large prime 5;ctor ofp 1. Alice s signature on a message m is composed of two numbers r and s which arc defined s r = gz Inod 9) rood q , ho, sh, m, z, r) x,nod ....

Schnorr, C. P.: Efficient identification and signatures for smart caxds. In Advances in Cryptology - CRYPTO'89 (Berlin, New York, Tokyo, 1990) vol. 435 of Lecture Notes in Computer Science Springer-Verlag pp. 239 251.

....on a cryptographic hash function, H , which for the proofs we will assume behaves like a random oracle (a common assumption in cryptographic research, first formalized in [4] Before going into the details of 2Schnorr, we briefly describe the standard Schnorr scheme. The Schnorr signature scheme [31] was first proposed as an application of the Fiat Shamir transformation [14] It can be instantiated on any group G of prime order in which the discrete log problem is believed to be hard. Schnorr has been proven secure under the standard notion of existential unforgeability against an adaptive ....

C. Schnorr. Efficient identification and signature for smart cards. In Advances in Cryptology---Crypto'89, volume 435 of Lecture Notes in Computer Science, pages 235--251, Berlin, 1990. Springer-Verlag.

....identities. But the public key of a group depends on the size of the group 1. In [4] Camenisch and Stadler presented an efficient solution of the key increasing problem. They proposed a signature of the knowledge of the discrete logarithm, which is basically a modification of Schnorr signature [17]. Boneh and Franklin [2] proposed anonymous authen tication schemes based on proof of knowledge for the th root of modulo n and the RSA scheme. In [16] an anonymous authentication protocol using public key set of all group members was introduced. As pointed out by the authors, Verifiably ....

C.P. Schnorr, "Efficient identification and signa- tures for smart cards", Crypto 1989.

....cryptographic tool allows one party to prove the knowledge of a secret value, without revealing any information on it. Such tools are zero knowledge proofs of knowledge and minimum disclosure proofs. The notion of signature of knowledge is based (originally) on the Schnorr digital signature scheme [16]. We call them signature of knowledge instead of proofs of knowledge to avoid confusion with zero knowledge proofs while reminding the fact they are based on signature schemes (being message dependent) Let us review the most important signatures of knowledge one can find in the area of group ....

C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In G. Brassard, editor, Crypto '89, volume 435 of LNCS, pages 239--252. Springer-Verlag, 1990.

....1) The algorithm finally outputs (r; s) the verification algorithm checks the equation g mod p. As already seen in the original paper, one cannot show that the scheme is fully secure because it is subject to existential forgery. Following a design that appears in the work of Schnorr [16], we proposed to modify the scheme by using a hash function f . Description of the modified El Gamal scheme In this variant, we replace m by the hash value of the part of the computation bound not to change, namely f(m; r) the key generation algorithm: unchanged. the signature algorithm: ....

Schnorr, C.: Efficient identification and signatures for smart cards. In Advances in Cryptology -- Proceedings of CRYPTO '89 (1990) vol. Lecture Notes in Computer Science 435 Springer-Verlag pp. 235--251.

....particular in the signature scheme with precomputation [2] In many discrete logarithm based protocols, one needs to generate pairs of the form (x; g (mod p) where x is random and g is a fixed base. The El Gamal [5] and DSA [13] Digital Signature Algorithm) signatures as well as the Schnorr [18, 19] and Brickell McCurley [4] identification and signature schemes are examples of such protocols. The generation of these pairs is often the most expensive operation, which makes it tempting to reduce the 3 number of modular multiplications required per generation, especially for smartcards. There ....

....ways to solve this problem. One way is to generate separately a random x, and then to compute g (mod p) using a precomputation method [3, 7, 16, 10] The other way is to generate x and g (mod p) together by a special pseudo random number generator which also uses precomputation. Schnorr [18] was the first to propose such a preprocessing scheme. The scheme has much better performances than all other methods but there is a certain drawback: the output exponent x is no more guaranteed to be random, and therefore, each generation might leak information. Indeed, de Rooij [15] showed how ....

[Article contains additional citation context not shown here]

C. P. Schnorr, `Efficient identification and signatures for smart cards', Proc. of Crypto'89, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 435 (1990), 239--252.

....We also describe a variant of PECDSA with partial message recovery and the same security properties (but the reader can skip the sections of this paper that deal with partial message recovery) 1. 2 Related work Many variants of the original E1Gamal [12] signature scheme have been described [1, 2, 16, 22 24, 27 30, 33, 34]. Some effort has been done towards an global description of those schemes. Horster, Michels and Petersen [17 19] defined the Meta E1Gamal signature schemes. Brickell, Pointcheval, Vaudenay and Yung [6] defined the Trusted E1Gamal type signature schemes of type I and II. The security proofs in ....

.... ECDSA II scheme [20] is defined on a prime order elliptic curve sub group, with E1Gamal category, ECxq projection and type II hash. 10 ECDSA III scheme [20] is defined on a prime order elliptic curve sub group, with E1Gamal category, ECaddq projection and type II hash. Schnorr scheme [33] is defined on a prime order multiplicative subgroup of 7p, with a slight variant of Schnorr category (where h replaces h) E1Gamal projection and type II hash. Nyberg Rueppel scheme [28, 29] is a scheme with total message re covery: no variable ra. It is defined on a prime order ....

C. Schnorr. Efficient Identification and Signatures for Smart Cards. Proc Crypro'89, LNCS 435, pages 239-252, Aug. 1989.

....providing private and authenticated communications. Much research has been done into creating encryption schemes to meet highly developed notions of privacy [4 6, 10 13] Similarly, designing unforgeable signature schemes to give authenticity and non repudiation is also a well studied problem [8, 14, 17 20]. It is possible to combine encryption schemes and signature schemes, using methods such as those described in [2] to obtain private and authenticated communications. In 1997 Zheng proposed a primitive that he called signcryption [23] The idea of a signcryption scheme is to combine the ....

C. P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology - CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 235--251. Springer-Verlag, 1990.

....be used. 2 Description of the primitive We first remind the most well known asymmetric identification schemes based on the discrete logarithm problem. Then, we propose a complete mathematical description of GPS. 2.1 Identification schemes based on the discrete log problem In 1989, C. Schnorr [27] proposed a proof of knowledge of discrete logarithm in groups of known prime order. This proof is a more efficient version of previous proposals of Chaum et al. 7, 6] and Beth [3] Using the Fiat Shamir paradigm [11] such a proof can be used as an identification scheme or converted into a ....

.... but we do not know how to prove the zero knowledge property if the verifier can bias the distribution of the challenges when they are large enough, i.e. Order of the multiplicative group KNOWN UNKNOWN Chaum Everste van de Graaf Peralta [7, 6] Order of g Beth [al Girault [12] KNOWN Schnorr [27] Biham Shulnmn [4] Okamoto [24] Order of g Girault Poupard Stern [13, 25] Brickell McCurley 5] UNKNOWN Poupard Stern [26] Fig. 1. Discrete log related schemes when B is non polynomial. As a consequence, we can only prove the security of Schnorr identification against passive adversaries. A ....

C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In Crypro '89, LNCS 435, pages 235 251. Springer-Verlag, 1990.

....R to U . 4: After receiving R from B, U computes blinded value for c; Q ps and RB1 using secret random values u and v, and sends e to B. Obtain R B1 from B Choose u; v 2R [2; q 1] RB1 = uR vP (6) e = h(RB1 jjcjjQ ps ) e=u 5: B generates blind Schnorr signature s B [31] for e and sends s B to U . s B = xB1 e (7) 6: U computes B s signature s B by unblinding s B using u and v. U generates B by concatenating s B and RB1 as (8) U verifies B by checking (9) and stores B ; c; and Ind(Q ps ) in Coin DB. s B = s B u v B = RB1 jjs B ) ....

C. P. Schnorr, "Efficient identification and signatures for smart cards," In Advances in Cryptology-Proc. of CRYPTO'89, LNCS 435, SpringerVerlag, 1990.

....transactions cannot be linked as having been withdrawn by the same user. Blind signature schemes have been devised for different public key algorithms with performance based on the efficiency of the underlying algorithm. Blind signatures based on RSA signatures [Cha85] and Schnorr signatures [Sch89] have been used in electronic cash schemes [CFN88, CP92a, Bra93, Fer93a] including the commercially deployed Ecash [Sch98] Variants on these include Ferguson s randomised blind signature [Fer93a] the Chaum Pederson double Schnorr signature [CP92a] and Chaum s blind unanticipated signature ....

....corresponding private key, is required to spend the change at a new vendor. This allows post fact detection of user double spending. User vendor collusion is possible but with post fact detection of the vendor provided, all spent parts of the chain are later redeemed. Schnorr public key signatures [Sch89] are used, which can be largely pre computed offline, and require only a hash function followed by a single modular multiplication and addition. However, Schnorr signature verification is not lightweight. 43 To provide user anonymity, a broker blind signature is used during purchase, and a new ....

C. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology -- CRYPTO '89 Proceedings, pp. 239-52, Lecture Notes in Computer Science vol. 435. Springer-Verlag, Berlin, Germany, 1990.

....are used as z = r Delta x f mod n and y = t Delta z g mod n (see RSA S1M) This means that r can be chosen at random in a restricted domain. One possible way, which we will adopt in this paper, is to use preprocessing algorithms for random exponentiation such as the one proposed by Schnorr [17,18]. For this, the prime factors p; q of n are chosen so that a prime fi divides both p Gamma 1 and q Gamma 1 and then a base ff of order fi mod n is randomly generated. Now the client securely stores a small number of pairs fs; ff s mod ng with random s 2 Z fi . Then, during 2 Kawamura [12] has ....

....ff and fi secret. However, note that there exists no known algorithm for factoring n (for jnj 512) faster with knowledge of fi of size 64 80. ffl From the above remarks, we can see that Schnorr s algorithm can be safely used even with smaller sizes of security parameters than those given in [17]. Thus it is possible to compute one value of ff k mod n in around 10 multiplications mod n. For a practical implementation, all computations mod n can be performed mod p and mod q and then the results can be combined using the CRT. This will almost halve the computational amount. 5.2 Random ....

C.P.Schnorr, Efficient identification and signatures for smart cards, In Proc. of Crypto'89, S.V., LNCS 435, 239-252 (1990).

.... 8 As opposed to the Pollard Lambda type algorithms for which there has not been substantial progress for about twenty five years [41] a variation on the previous attack allows for an insider attack where a user can fool the CA when specific signature schemes are used (e.g. Schnorr signatures [48], see [36] for the details) Hence, when this type of attack can be mounted, we should check the order of the public keys. 4 Authentication In the previous section we presented attacks related to the mathematical structure of the DH protocol primitives. In this section we address issues related ....

SCHNORR, C. P. Efficient identification and signatures for smart cards. In Advances in Cryptology---EUROCRYPT 89 (10--13 Apr.

....cryptographic tool allows one party to prove the knowledge of a secret value, without revealing any information on it. Such tools are zero knowledge proofs of knowledge and minimum disclosure proofs. The notion of signature of knowledge is based (originally) on the Schnorr digital signature scheme [16]. We call them signature of knowledge instead of proofs of knowledge to avoid confusion with zero knowledge proofs while reminding the fact they are based on signature schemes (being message dependent) Let us review the most important signatures of knowledge one can find in the area of group ....

C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In G. Brassard, editor, Crypto '89, volume 435 of LNCS, pages 239--252. Springer-Verlag, 1990.

....because the protocol is actually vulnerable to client impersonations as well as server impersonations and dictionary attacks if a password file is compromised. Bob can store rather than g and for this case G 2 benefits from the simultaneous multiple exponentiation method in terms of efficiency[28, 35]. Above all, g must be kept secure because it is actually vulnerable to guessing attacks. So we propose an amplified password file idea for improving the security of the password file. The Amplified Password File. As for the password file, an asymmetric setup is preferred because of the ....

.... Gamma) E( Gamma : G 1 ) y ( y ) and E(G 2 : G y 1 g ey ) while all variants have similar operations. Here Gamma means no modular exponentiation such as O( log n) 3 ) Note that AMP operations should benefit from the simultaneous multiple exponentiation method for efficiency[35, 28]. As for g 1 e1 g 2 e2 , we don t need to compute g 1 e1 and g 2 e2 separately. A simple description of the simultaneous method is as follows; a) t = length(e) length of exponent : blog qc 1 (b) g x = g 1 g 2 mod p; precomputation (c) set( fG[0] 1; G[1] g 1 ; G[2] g 2 ; ....

[Article contains additional citation context not shown here]

C.P.Schnorr, "Efficient identification and signatures for smart cards," Crypto 89, LNCS, pp.239-251, 1989

....easy to check, and yet difficult to forge. By using the private key to sign, and the public key to verify, this notion was achieved. As time passed, several other realizations of public key cryptosystems and digital signatures were proposed; see for example the papers of ElGamal and Schnorr [17, 36]. Once people understood these techniques, they tried to use them in designing more complex signature protocols which were geared toward more complex tasks. This thesis presents such a protocol: the Group Blind Digital Signature. This type of signature combines two notions which previously existed ....

....of great importance, but unfortunately the construction is very complex, and therefore is not suitable for practical use. Pointcheval and Stern [30] presented blind variants of various digital signature schemes. The signature schemes they addressed included those of Okamoto [29] and Schnorr [36]. The proofs of security in these schemes required various numbertheoretic conjectures and were given in the Random Oracle Model. Having presented some of the history of blind digital signatures, we now move on 17 to discuss two well known blind signature schemes. Later we show how to use these ....

[Article contains additional citation context not shown here]

C. P. Schnorr. Efficient identification and signatures for smart cards. In G. Brassard, editor, Proc. CRYPTO 89, pages 239--252. Springer-Verlag, 1990. Lecture Notes in Computer Science No. 435.

No context found.

C.P. Schnorr, "Efficient identification and signatures for smart cards", Advances in Cryptology - Crypto 89, G. Brassard (ed.), Lecture Notes in Computer Science 435, 239-251, Springer-Verlag (1990).

No context found.

C. Schnorr. Efficient identification and signatures for smartcards. In G. Brassard, editor, CRYPTO

No context found.

C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In Crypto '89, LNCS 435, pages 235--251. Springer-Verlag, Berlin, 1990.

No context found.

C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. In Proceedings of Crypto '89, Lecture Notes in Computer Science 435, Springer-Verlag, 1990, 235--251,

No context found.

C. P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology -- EUROCRYPT '89 (LNCS 434), pp. 688--689, 1989.

No context found.

C.P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology - Crypto '89, pages 239-251, Springer-Verlag, New York, 1990.

No context found.

C. P. Schnorr, Efficient identification and signatures for smart cards Advances in Cryptology (Proc. Crypto '89), LNCS 435 (1990), 239--252.

No context found.

C.P. Schnorr. Efficient identification and signatures for smart cards. In Advances in Cryptology - Crypto '89, pages 239-251, Springer-Verlag, New York, 1990.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC