I. Damgard and J. B. Nielsen. Improved Non-Committing Encryption Schemes Based on General Complexity Assumptions. Adv. in Cryptology --- Crypto  Home/Search   Document Details and Download   Summary   Related Articles   Check

....has already received several encrypted messages. Learning the player s secret key will (in general) allow the adversary to read all past messages, thereby making it much harder to prove any simulationbased notion of security. In all known adaptively secure non interactive encryption schemes (e.g. [4, 11, 5, 13]) the size of the decryption key must exceed the total length of all messages to be decrypted throughout the lifetime of the system. Furthermore, Nielsen has recently shown that this property is essential for encryption schemes that are not key evolving [33] this holds even if the model itself ....

I.B. Damgard and J.B. Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. Crypto '00, LNCS vol. 1880, pp. 432--450, Springer-Verlag, 2000.

....based on the following cryptographic assumptions. For the non adaptive case (both semi honest and malicious) we assume the existence of trapdoor permutations only. For the adaptive, semi honest case we additionally assume the existence of obliviously generatable public key encryptionschemes as in [22, 16] where public keys can be generated without knowing the corresponding private keys. Alternatively, if we assume existence of dense cryptosystems [22] where public key is uniformly distributed) a requirement that clearly implies obliviously generatable public key then we can assume that our ....

....case the protocol of [25, 33, 31] suces. In the adaptive case our protocol uses non committing encryption (as in [11] with the additional property that there is an alternative key generation algorithm that generates only public encryption keys without the corresponding decryption key. Following [16], we call this the oblivious generation property. All known noncommitting encryption schemes have this property. Such schemes exist under either the RSA assumption or the DDH assumption. In all, we show: Proposition 2. Assume that trapdoor permutations and two party non committing encryption ....

I. Damgard and J. Nielsen. Improved non-committing encryption schemes based on general complexity assumption. CRYPTO 2000.

....stand alone model. One way to guarantee that protocols withstand some speci c security threats in multi execution environments is to explicitly incorporate these threats into the security model and analysis. Such an approach was taken, for instance, in the case of non malleability of protocols [ddn00] and regarding the concurrent composition of zero knowledge [dns98, rk99] and oblivious transfer [gm00] However, this approach is inherently limited since it needs to explicitly address each new concern, whereas in a realistic network setting, the threats may be unpredictable. Furthermore, it ....

....case (both semi honest and malicious) we assume the existence of trapdoor permutations only. For the adaptive case we additionally assume the existence of augmented non committing encryption protocols [cfgn96] The augmentation includes oblivious key generation and invertible samplability [dn00]. Loosely speaking, oblivious key generation states that public keys can be generated without knowing the corresponding private keys, and invertible samplability states that given a public private key pair it is possible to obtain the random coin tosses of the key generator when outputting this ....

[Article contains additional citation context not shown here]

I. Damgard and J.B. Nielsen. Improved non-committing encryption schemes based on general complexity assumptions. In CRYPTO'00, Springer-Verlag (LNCS 1880), pages 432-450.

....stand alone model. One way to guarantee that protocols withstand some specific security threats in multi execution environments is to explicitly incorporate these threats into the security model and analysis. Such an approach was taken, for instance, in the case of non malleability of protocols [ddn00] and regarding the concurrent composition of zero knowledge [dns98, rk99] and oblivious transfer [gm00] However, this approach is inherently limited since it needs to explicitly address each new concern, whereas in a realistic network setting, the threats may be unpredictable. Furthermore, it ....

....case (both semi honest and malicious) we assume the existence of trapdoor permutations only. For the adaptive case we additionally assume the existence of augmented non committing encryption protocols [cfgn96] The augmentation includes oblivious key generation and invertible samplability [dn00]. Loosely speaking, oblivious key generation states that public keys can be generated without knowing the corresponding private keys, and invertible samplability states that given a public private key pair it is possible to obtain the random coin tosses of the key generator when outputting this ....

[Article contains additional citation context not shown here]

I. Damgard and J.B. Nielsen. Improved non-committing encryption schemes based on general complexity assumptions. In CRYPTO'00, Springer-Verlag (LNCS 1880), pages 432--450.

....due to Cramer et al. 10] which is adaptively secure and tolerates any number of corruptions below one half of the servers. In order to implement secure channels required by Cramer et al. 10] we use the non committing encryption technique due to Canetti et al. 6] and Damg ard and Nielsen [13]. The protocol described above will be secure: suppose we are given a target public key (PK;E;S(SK) Our goal is to construct a simulator S which, on input the identity of an inconsistent party PS , simulates the adversary s view of the computation provided the adversary does not corrupt PS . We ....

Ivan Damgard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In Mihir Bellare, editor, Advances in Cryptology | CRYPTO '00, volume 1880 of Lecture Notes in Computer Science, pages 432-450. Springer Verlag, 2000.

....is a difficult task which, in general, seems to require the players to use a non committing encryption [CFGN96] The first efficient implementation of such encryption was earlier given by [BH92] but they introduced an assumption that the players can erase local data. Subsequently, CFGN96,Bea97,DN00] have implementated such encryption without the use of erasures, but these implementation carry a vary large communication and complexity overhead, from quadratic to linear in the security parameter. However, since threshold DSS and RSA are specific examples of secure distributed function ....

....but is statistically independent from a plaintext. Furthermore, if the adversary corrupts the receiver of this quasi ciphertext, the simulator can open it as a valid encryption of some message. The selectively secure encryption is weaker than the non committing encryption of [CFGN96,Bea97,DN00] in two aspects: i) Upon the corruption of a receiver, the simulator can open such quasi ciphertexts in only one way; and ii) All bets are off if the adversary corrupts the sender. Our implementation of this novel encryption primitive has an effiency comparable to the ElGamal encryption from ....

[Article contains additional citation context not shown here]

Ivan Damgard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. to be published, 2000.

No context found.

Ivan Damgard and Jesper B. Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In Mihir Bellare, editor, Advances in Cryptology - Crypto 2000, pages 432--450, Berlin, 2000. SpringerVerlag. Lecture Notes in Computer Science Volume 1880.

....from the collective output of all uncorrupted parties and A after attacking a real life execution of the protocol with input m. A complete definition and a summary of previous definitional work appears in [8] A sketch of the part of the model used in this paper appears in our technical report [11]. 5.1 The Main Idea S R c # 0, 1 d # 0, 1 rc # RK ed # RE r1 c # R K e 1 d # RC (Pc , Sc) # K(rc) P1 c # K(r1 c) P 0 ,P 1 # Md #MP d M1 d #MP 1 d Cd # EP d (Md , ed ) C1 d # CP d (e1 d ) M 0 ,M 1 # C 0 ,C 1 s # # 0 if DSc (Cc) Mc ....

....a hybrids argument, going from (1) to (2) using (in this order) the oblivious public key generation including the invertible sampling of K, the oblivious ciphertext generation including the invertible sampling of C, and finally the semantic security. For more details see the technical report [11]. # Why Failed Attempts Cannot be Simulated without Committing Consider the situation where c #= d. The secret key S c is always known by S. If this key becomes known to the adversary by corrupting S, he can check whether DSc (C 1 d ) #= M 1 d , as it should be with high probability. The ....

[Article contains additional citation context not shown here]

Ivan B. Damgard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. Research Series RS-00-6, BRICS, Department of Computer Science, University of Aarhus, March 2000.

....from the collective output of all uncorrupted parties and A after attacking a real life execution of the protocol with input m. A complete definition and a summary of previous definitional work appears in [8] A sketch of the part of the model used in this paper appears in our technical report [11]. 5.1 The Main Idea S R c # 0, 1 d # 0, 1 rc # RK ed # RE r1 c # R K e 1 d # RC (Pc , Sc) # K(rc) P1 c # K(r1 c) P 0 ,P 1 # Md #MP d M1 d #MP 1 d Cd # EP d (Md , ed ) C 1 d # CP d (e 1 d ) M 0 ,M 1 # C 0 ,C 1 s # # 0 if DSc (Cc) ....

....a hybrids argument, going from (1) to (2) using (in this order) the oblivious public key generation including the invertible sampling of K, the oblivious ciphertext generation including the invertible sampling of C, and finally the semantic security. For more details see the technical report [11]. # Why failed attempts cannot be simulated without committing Consider the situation where c #= d. The secret key S c is always known by S. If this key becomes known to the adversary by corrupting S, he can check whether DSc (C 1 d ) #= M 1 d , as it should be with high probability. The ....

[Article contains additional citation context not shown here]

Ivan B. Damgard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. Research Series RS-00-6, BRICS, Department of Computer Science, University of Aarhus, March 2000.

No context found.

I. Damgard and J. B. Nielsen. Improved Non-Committing Encryption Schemes Based on General Complexity Assumptions. Adv. in Cryptology --- Crypto

No context found.

Ivan Damgard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In proceedings of CRYPTO '00, LNCS series, volume 1880, pages 432-450, 2000.

No context found.

I. Damgard and J. B. Nielsen. Improved non-committing encryption schemes based on general complexity assumption. In Crypto00, Springer-Verlag Lecture Notes in Computer Science (Vol. 1880), pages 432-450.

No context found.

Ivan Damgard and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In proceedings of CRYPTO '00, LNCS series, volume 1880, pages 432-450, 2000.

No context found.

I. Damgard and J. B. Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In Advances in Cryptology: CRYPTO 2000.

No context found.

I. Damgard and J.B. Nielsen. Improved non-committing encryption schemes based on general complexity assumptions. In CRYPTO'00, Springer-Verlag (LNCS 1880), pages 432--450.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC