Ivan Damgård

A Design Principle for Hash Functions

We show that if there exists a computationally collision free function f from m bits to t bits where m > t, then there exists a computationally collision free function h mapping messages of arbitrary polynomial lengths to t-bit strings.Let n be the length of the message, h can be constructed either such that it can be evaluated in time linear in n using 1 processor, or such that it takes time O(log(n)) using O(n) processors, counting evaluations of f as one step. Finally, for any constant k and large n, a speedup by a factor of k over the first construction is available using k processors.Apart from suggesting a generally sound design principle for hash functions, our results give a unified view of several apparently unrelated constructions of hash functions proposed earlier. It also suggests changes to other proposed constructions to make a proof of security potentially easier.We give three concrete examples of constructions, based on modular squaring, on Wolframs pseudoranddom bit generator [Wo], and on the knapsack problem.

Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols

Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S, we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by S. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances axe independently generated, we get a witness hiding protocol, even if P did not have this property. Our results can be used to efficiently implement general forms of group oriented identification and signatures. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P. Our results use no unproven complexity assumptions.

Multiparty Computation from Somewhat Homomorphic Encryption

We propose a general multiparty computation protocol secure against an active adversary corrupting up to

A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System

n-1

Efficient concurrent zero-knowledge in the auxiliary string model

of the n players. The protocol may be used to compute securely arithmetic circuits over any finite field

Convertible Undeniable Signatures

\mathbb {F}_{p^k}