Signature schemes and applications to cryptographic protocol design
Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
Ronald L. Rivest.
MetadataShow full item record
Signature schemes are fundamental cryptographic primitives, useful as a stand-alone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important application of digital signature schemes is an anonymous credential system. In such a system, one can obtain and prove possession of credentials without revealing any additional information. Such systems are the best means of balancing the need of individuals for privacy with the need of large organizations to verify that the people they interact with have the required credentials. We show how to construct an efficient anonymous credential system using an appropriate signature scheme; we then give an example of such asignature scheme. The resulting system is the first one with satisfactory communication and computation costs. The signature scheme we use to construct an anonymous credential system is of independent interest for use in other protocols. The special property of this signature scheme is that it admits an efficient protocol for a zero-knowledge proof of knowledge of a signature. Further, we consider the question of revocation of signatures. We obtain an efficient revocation scheme.(cont.) This has immediate consequences for revocation of credentials in our credential system. We explore other uses for signature schemes as building blocks for designing cryptographic objects and secure protocols. We give a unique signature scheme which has implications for verifiable random functions and for non-interactive zero-knowledge proofs. Finally, we consider the use of signatures for implementing a broadcast channel in a point-to-point network. It was previously shown that while broadcast was impossible without computational assumptions in a point-to-point network where one-third or more nodes exhibited adversarial behavior, using an appropriate set-up phase and a signature scheme, the impossibility could be overcome. We show that the situation is more complex than was previously believed. We consider the composition of protocols in this model, and discover severe limitations. We also show how to augment the model to overcome these limitations.
Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2002.Includes bibliographical references (p. 123-134).
DepartmentMassachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
Massachusetts Institute of Technology
Electrical Engineering and Computer Science.