Big Chemical Encyclopedia

Chemical substances, components, reactions, process design ...

Articles Figures Tables About

Risk bearer

The idea is that there may be special users who are held responsible if the output broken occurs. Such people are called risk bearers. For instance, an insurance may have to pay up in this case, or the party that has introduced the signature scheme, or always the recipient and not the signer. In this case, the correctness of broken is only required in the interest of the court in that dispute plus at least one risk bearer, and the original requirements of the signer and the recipient are relaxed so as to allow the output broken even for the degree low. [Pg.94]

Thus the full fail-stop property is one where everybody is regarded as a risk bearer (except that they do not have special access points for their role as risk bearers then). The full fail-stop property is useful, for instance, if one wants unforgeability in the original sense, or if the system is completely stopped once the output broken occurs and everybody considers this a nuisance. [Pg.94]

The modifications in the specification brought about by special risk bearers are now... [Pg.95]

There are special access points for risk bearers. [Pg.95]

All risk bearers may take part in each initialization, and the identities of the risk bearers that took part successfully are denoted by an additional output parameter Risk,out-... [Pg.95]

Risk bearers do not take part in any other transactions. [Pg.95]

The correctness of broken is required in the interest of the court in the given dispute and any risk bearer. Hence any single risk bearer can guarantee that the output broken does not occur (with the degree low). [Pg.95]

Effectiveness of initialization is weakened by requiring it in the interest of groups consisting of the signer, at least one recipient or court, and any risk bearer. [Pg.95]

The following requirements are stronger than the minimal ones for signature-like schemes with accountable centres. In particular, effectiveness of authentication is required even if all risk bearers are dishonest this is needed when schemes with one risk bearer are used as building blocks for full fail-stop signature schemes. [Pg.95]

Correctness of broken. Part 2. The value acc = broken never occurs in transfers of proofs of forgery. The interest group consists of the receiving court in that transfer, or, if special risk bearers are considered, that court together with any risk bearer. [Pg.96]

Fail-Stop Signature Schemes with Special Risk Bearers... [Pg.123]

In Section 5.2.9, it was mentioned that effectiveness of initialization need not be required explicitly for fail-stop signature schemes with special risk bearers. It is now sketched that correctness of initialization indeed implies effectiveness of initialization in these schemes. [Pg.123]

It has to be shown that an initialization yields acc = TRUE if the signer, a recipient or court, and a risk bearer are honest. First, correctness of initialization in the interest of the signer and the recipient or court means that either acc = TRUE or Risk,oui - 0- Secondly, 0 follows from the correctness of initial-... [Pg.123]

The main variations are in the number of risk bearers and how the risk bearers participate in initialization, and in the number of recipients and the consequences on testing signatures. Furthermore, the existing schemes vary in the message space, the cryptologic assumption that the correctness of broken relies on, and in efficiency. [Pg.127]

Fail-stop security without further attributes means that the correctness of broken is required in the interest of each court individually. However, schemes with fewer special risk bearers (see Section 5.2.9) are important, because they can be much more efficient. For an overview, see Figure 6.2. [Pg.127]

If there are many risk bearers, initialization can be much more complex. However, all existing fail-stop signature schemes are based on a construction with only one risk bearer, and the additional measures to accommodate several risk bearers are very similar for aU these constructions, see Section 7.5. (Sketches were contained in [Pfit89, PfWa90].)... [Pg.128]

In particular, a constraction exists that transforms any fail-stop signature scheme for a fixed risk bearer with 2-message initialization into one for many risk bearers where initialization only needs two rounds In the first round, the entity of each risk bearer broadcasts a separate prekey in the second round, the signer s entity broadcasts a public key. More generally, one can use parallel replications of the initialization of any fail-stop signature scheme for a fixed risk bearer, see Section 7.5.1. This soimds quite efficient however, it has so far implied that the complexity of the other transactions grows linearly with the number of risk bearers. In contrast, versions with more complex initialization exist where the complexity of the other transactions is not larger than in the case with one risk bearer, see Section 7.5.2. [Pg.128]

Risk bearers trust a common device see 1 risk bearer )... [Pg.128]

Complexity of other transactions linear in number of risk bearers... [Pg.128]

Figure 6.2. Existing fail-stop signature schemes, classified according to risk bearers... Figure 6.2. Existing fail-stop signature schemes, classified according to risk bearers...
Note that according to the description above, the entities of courts and recipients do not send any messages in the initialization of existing fail-stop signature schemes with special risk bearers they only receive messages that are broadcast by the entities of the signer and the risk bearers. [Pg.128]

The second service property in which existing fail-stop signature schemes differ is the dependence of authentication on the recipients (see Section 5.2.10). This classification is independent of that according to risk bearers. However, the cases... [Pg.128]

Similar to the convention with risk bearers, a fail-stop signature scheme without further attributes is assumed to provide the most general service, i.e., no dependence on the recipient, but more restricted schemes can be more efficient, in particular in their test algorithms. The two most common cases are (see Figure 6.3) ... [Pg.129]

The main variation is in the dependence on the recipients. Their role is similar to that of the risk bearers in fail-stop signature schemes To guarantee computational security for each recipient, even if many other participants are attacking, the entities of all recipients must take part in initialization. Hence initialization is much simpler if it is for a fixed recipient. [Pg.131]

Of course, selecting risk bearers arbitrarily only works for financial risks (and even there, only to a certain extent). In a large-scale application in the real world, the fail-stop property would make individuals safe from a strong risk, but still leave them with a smaller risk, such as higher insurance premiums or having to use handwritten signatures again. [Pg.138]

This will be sufficient for a proof of forgery. The pair of two signatures on the same message can either immediately count as a proof of forgery, as illustrated in Figure 6.8, or there can be a procedure that constructs a simpler proof from such a pair. For instance, such a proof could be a factor of a number that the signer should not have been able to factor (see Section 6.1.2, Number of Risk Bearers. .. ). [Pg.141]

The complexity of the most efficient schemes for signing one message block is almost as low as that of efficient ordinary digital signature schemes. The same holds if message hashing is added. (Note that this subsection assumes a fixed risk bearer or any other version that has the same effect on the efficiency of authentication, cf. Figure 6.2.)... [Pg.144]

The actual definition of so-called standard fail-stop signature schemes is contained in Section 7.1. In Section 7.2, relations to alternative or additional security properties are shown. Section 7.3 presents fail-stop signature schemes with prekey, an important subclass, and proves simplified security criteria for them. Section 7.4 shows the relation between standard fail-stop signature schemes and ordinary digital signature schemes. Section 7.5 contains constructions of schemes with many risk bearers from schemes with one risk bearer. [Pg.149]

Section 7.1.1 explains why one can concentrate on schemes with special risk bearers. The components of the schemes are derived in Section 7.1.2 and summarized formally in Definitions 7.1 to 7.3. The requirements, which are now mixed with considerations of structure and degree of security, are studied in Sections 7.1.3 to 7.1.5. [Pg.149]

The following sections concentrate on standard fail-stop signature schemes with special risk bearers. In particular, the formal versions of the definitions and constructions are only presented for such schemes. [Pg.150]

One reason is that the formal definitions of fiill fail-stop signature schemes can be derived from the informal discussions just like those with special risk bearers. [Pg.150]

See other pages where Risk bearer is mentioned: [Pg.63]    [Pg.94]    [Pg.95]    [Pg.95]    [Pg.108]    [Pg.123]    [Pg.127]    [Pg.127]    [Pg.127]    [Pg.128]    [Pg.128]    [Pg.128]    [Pg.129]    [Pg.130]    [Pg.132]    [Pg.137]    [Pg.138]    [Pg.149]    [Pg.150]   
See also in sourсe #XX -- [ Pg.63 , Pg.94 ]



SEARCH



Concentrating on Schemes with Special Risk Bearers

Constructions with Many Risk Bearers

Existing fail-stop signature schemes, classified according to risk bearers

Many risk bearers

Security for risk bearers

Security for the risk bearer

© 2024 chempedia.info