C. Dwork and M. Naor. Method for message authentication from non-malleable cryptosystems, 1996. U. S. Patent No. 05539826.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....[BDPR98, DDN00] An encryption scheme secure against adaptive chosen ciphertext attack is a very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authentication and key exchange [DN96, DDN00, Sho99] and in protocols for escrow, certi ed e mail, and more general fair exchange [ASW00] It is by now generally recognized in the cryptographic research community that security against adaptive chosen ciphertext attack is the right notion of security for a general purpose public key encryption ....

C. Dwork and M. Naor. Method for message authentication from non-malleable cryptosystems, 1996. U. S. Patent No. 05539826.

....are equivalent [10] A cryptosystem secure against adaptive chosen ciphertext attack is a very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authentication and key exchange [11, 10, 2] and in protocols for escrow, certified e mail, and more general fair exchange [1, 22] The practical importance of this primitive is also highlighted by the adoption of Bellare and Rogaway s OAEP scheme [4] a practical but only heuristically secure scheme) as an internet encryption standard and ....

C. Dwork and M. Naor. Method for message authentication from nonmalleable cryptosystems, 1996. U. S. Patent No. 05539826.

....arbitrary computation time) 17] We note that even in the timing based model, zero knowledge proof systems for languages outside of BPP require two rounds of interaction. No such result is known for the bounded advice model. We also use zaps to construct 2 round deniable authentication protocols [12, 15, 16, 17]. Intuitively, A protocol is black box zero knowledge if there is a universal simulator, which when given black box access to any verifier strategy, is able to produce a simulation of that verifier with the prover. Virtually all zero knowledge proofs until very recently where black box (but ....

....does not permit V to convince a third party that AP has authenticated m there is no paper trail of the conversation (say, other than what could be produced by V alone) Thus, deniable authentication is incomparable with digital signatures. Deniable authentication first 6 appeared in [12, 15]; and was formalized in [16] see also [17] Several 4 round timed concurrent deniable authentication protocols are given in [16, 17] The authentication protocol should satisfy: Completeness: For any message m, if the prover and verifier follow the protocol for authenticating m, then the ....

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

....very recently where black box (but see [1] for the first example of a protocol which does not fit this category) 2 outside of BPP require two rounds of interaction. No such result is known for the bounded advice model. We also use zaps to construct 2 round deniable authentication protocols [12, 15, 16, 17]. Intuitively, deniable authentication is like a signature scheme in that it permits one party to authenticate messages to another party, based on a public key; however, unlike in the case of digital signatures, the authenticating conversation leaves no trace, for example, it may be simulable, ....

....does not permit V to convince a third party that AP has authenticated m there is no paper trail of the conversation (say, other than what could be produced by V alone) Thus, deniable authentication is incomparable with digital signatures. Deniable authentication first 6 appeared in [12, 15]; and was formalized in [16] see also [17] Several 4 round timed concurrent deniable authentication protocols are given in [16, 17] The authentication protocol should satisfy: Completeness: For any message m, if the prover and verifier follow the protocol for authenticating m, then the ....

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

No context found.

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

....of our straight line simulator will be computationally indistinguishable from the distribution of actual conversation transcripts of this protocol. As usual, completeness follows by inspection. 4. 5 Deniable Message Authentication We consider the problem of deniable message authentication [15, 17, 18]. Here, the prover wishes to authenticate a message m to the veri er, in such a way that no other party can verify the authentication. In particular, we require that veri ers cannot prove to anyone else that the prover authenticated m. It suces that the protocol be concurrent zero knowledge, since ....

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

....not be zero knowledge, it protects any private key used in the authentication to a great extent otherwise it would be possible to impersonate the authenticator by learning the private authentication key. The following public key authentication protocol appears in Section 3. 5 of [21] see also [23]) P s public key is E, chosen according to a generator of a non malleable public key cryptosystems. Roughly speaking, a public key cryptosystem is non malleable if, for all polynomial time relations R (with certain trivial exceptions) seeing an encryption E( does not help an attacker to ....

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996. 23

No context found.

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

....the protocol may not be zero knowledge, it protects any private key used in the authentication to a great extent otherwise it would be possible to impersonate the authenticator by learning the private authentication key. The following public key authentication protocol appears in [16] see also [18]) P s public key is E, chosen according to a non malleable public key cryptosystem generator. Roughly speaking, a public key cryptosystem is non malleable if, for all polynomial time relations R (with certain trivial exceptions) seeing an encryption E(ff) does not help an attacker to ....

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

....indistinguishable from the distribution of actual conversation transcripts of this protocol. Deniable Message Authentication. NIZK proofs can also be useful for constructing straight line zero knowledge protocols for other applications. Consider the problem of deniable message authentication [13, 15, 16]. Here, the prover wishes to authenticate a message m to the verifier, in such a way that no other party can verify the authentication. In particular, we require that verifiers cannot prove to anyone else that the prover authenticated m. It suffices that the protocol be concurrent zero knowledge, ....

C. Dwork and M. Naor, Method for message authentication from non-malleable crypto systems, US Patent No. 05539826, issued Aug. 29th 1996.

No context found.

C. Dwork and M. Naor. Method for message authentication from non-malleable cryptosystems, 1996. U. S. Patent No. 05539826.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC