[Moderator's note. Please please please don't top post. --Perry] I think you should look for multisignature schemes. There are lots of it. And BTW - right EC Pohlih-Hellman is not public key cryptosystem. I missed your requirement. Regards, Zacheusz
2010/3/22, Jonathan Katz <jk...@cs.umd.edu>: > [Moderator's Note: Please please don't top post. --Perry] > > That paper was from 1980. A few things have changed since then. =) > > In any case, my point still stands: what you actually want is some e-cash > system with some special properties. Commutative encryption is neither > necessary nor (probably) sufficient for what you want. Have you at least > looked at the literature (which must be well over 100 papers) on e-cash? > > On Mon, 22 Mar 2010, Sergio Lerner wrote: > >> Commutativity is a beautiful and powerful property. See "On the power of >> Commutativity in Cryptography" by Adi Shamir. >> Semantic security is great and has given a new provable sense of security, >> >> but commutative building blocks can be combined to build the strangest >> protocols without going into deep mathematics, are better suited for >> teaching >> crypto and for high-level protocol design. They are like the "Lego" blocks >> of >> cryptography! >> >> Now I'm working on an new untraceable e-cash protocol which has some >> additional properties. And I'm searching for a secure commutable signing >> primitive. >> >> Best regards, >> Sergio Lerner. >> >> >> On 22/03/2010 09:56 a.m., Jonathan Katz wrote: >>> Sounds like a bad idea -- at a minimum, your encryption will be >>> deterministic. >>> >>> What are you actually trying to achieve? Usually once you understand >>> that, >>> you can find a protocol solving your problem already in the crypto >>> literature. >>> >>> On Sun, 21 Mar 2010, Sergio Lerner wrote: >>> >>>> >>>> I looking for a public-key cryptosystem that allows commutation of the >>>> operations of encription/decryption for different users keys >>>> ( Ek(Es(m)) = Es(Ek(m)) ). >>>> I haven't found a simple cryptosystem in Zp or Z/nZ. >>>> >>>> I think the solution may be something like the RSA analogs in elliptic >>>> curves. Maybe a scheme that allows the use of a common modulus for all >>>> users (RSA does not). >>>> I've read on some factoring-based cryptosystem (like Meyer-Muller or >>>> Koyama-Maurer-Okamoto-Vantone) but the cryptosystem authors say nothing >>>> about the possibility of using a common modulus, neither for good nor >>>> for >>>> bad. >>>> >>>> Anyone has a deeper knowledge on this crypto to help me? --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com