We show the first proactive RSA scheme with a fully non-interactive signature protocol. The schem... more We show the first proactive RSA scheme with a fully non-interactive signature protocol. The scheme is secure and robust with the optimal threshold of t n/2 corruptions. Such protocol is very attractive in practice: When a party requesting a signature contacts t′ > t among n trustees which implement a proactive RSA scheme, the trustees do not need to communicate between each other, and simply respond with a single “partial signature” message to the requester, who can reconstruct the standard RSA signature from the first t + 1 responses he receives. The computation costs incurred by each party are comparable to standard RSA signature computation. Such non-interactive signature protocol was known for threshold RSA [1], but previous proactive RSA schemes [2,3] required all trustees to participate in the signature generation, which made these schemes impractical in many networking environments. On the other hand, proactivity, i.e. an ability to refresh the secret-sharing of the signature key between the trustees, not only makes threshold cryptosystems more secure, but it is actually a crucial component for any threshold scheme in practice, since it allows for secure replacement of a trustee in case of repairs, hardware upgrades, etc. The proactive RSA scheme we present shows that it is possible to have the best of both worlds: A highly practical non-interactive signature protocol and an ability to refresh the secret-sharing of the signature key. This brings attack-resilient implementations of root sources of trust in any cryptographic scheme closer to practice.
We present an efficient implementation of affiliation-hiding envelope and authentication schemes.... more We present an efficient implementation of affiliation-hiding envelope and authentication schemes. An envelope scheme enables secure message transmission between two parties s.t. the message can be decrypted only by a receiver who holds a credential from (i.e. is affiliated with) an entity specified by the sender’s authorization policy. An envelope scheme is affiliation-hiding if it hides the receiver’s affiliation, and
Abstract. Exponential growth in digital information gathering, stor-age, and processing capabilit... more Abstract. Exponential growth in digital information gathering, stor-age, and processing capabilities inexorably leads to conflict between well-intentioned government or commercial datamining, and fundamental pri-vacy interests of individuals and organizations. This ...
We show the first proactive RSA scheme with a fully non-interactive signature protocol. The schem... more We show the first proactive RSA scheme with a fully non-interactive signature protocol. The scheme is secure and robust with the optimal threshold of t n/2 corruptions. Such protocol is very attractive in practice: When a party requesting a signature contacts t′ > t among n trustees which implement a proactive RSA scheme, the trustees do not need to communicate between each other, and simply respond with a single “partial signature” message to the requester, who can reconstruct the standard RSA signature from the first t + 1 responses he receives. The computation costs incurred by each party are comparable to standard RSA signature computation. Such non-interactive signature protocol was known for threshold RSA [1], but previous proactive RSA schemes [2,3] required all trustees to participate in the signature generation, which made these schemes impractical in many networking environments. On the other hand, proactivity, i.e. an ability to refresh the secret-sharing of the signature key between the trustees, not only makes threshold cryptosystems more secure, but it is actually a crucial component for any threshold scheme in practice, since it allows for secure replacement of a trustee in case of repairs, hardware upgrades, etc. The proactive RSA scheme we present shows that it is possible to have the best of both worlds: A highly practical non-interactive signature protocol and an ability to refresh the secret-sharing of the signature key. This brings attack-resilient implementations of root sources of trust in any cryptographic scheme closer to practice.
We present an efficient implementation of affiliation-hiding envelope and authentication schemes.... more We present an efficient implementation of affiliation-hiding envelope and authentication schemes. An envelope scheme enables secure message transmission between two parties s.t. the message can be decrypted only by a receiver who holds a credential from (i.e. is affiliated with) an entity specified by the sender’s authorization policy. An envelope scheme is affiliation-hiding if it hides the receiver’s affiliation, and
Abstract. Exponential growth in digital information gathering, stor-age, and processing capabilit... more Abstract. Exponential growth in digital information gathering, stor-age, and processing capabilities inexorably leads to conflict between well-intentioned government or commercial datamining, and fundamental pri-vacy interests of individuals and organizations. This ...
Uploads
Papers by Stanislaw Jarecki