D. Boneh, M. Naor, Timed commitments (extended abstract), in: Advances in Cryptology - CRYPTO  Home/Search   Document Not in Database   Summary   Related Articles   Check

....has depth O(n log log n) where n = log p [33] Thus, given the current state of knowledge on this problem and the related modular exponentiation problem, it is reasonable to assume that they are not in NC. In fact, this assumption (for the exponentiationproblem) has been explicitly relied on in [17]. It is easy to see that deciding quadratic residuosity modulo p can be very efficiently reduced to computing the monotone function defined by NQRP p . However, there is a major difference between the standard algorithmic setting for this problem and our setting. Our setting is highly ....

D. Boneh and M. Naor. Timed commitments. In Advances in Cryptology -- CRYPTO 2000.

....could abort and employ all of his resources to complete the computation (e.g. recover the signature by parallel search of the remaining bits) while it might take much longer or even be infeasible for the weaker party to do so. These problems have recently been tackled by Boneh and Naor [BN00] using tools based on moderately hard problems [DN92] A moderately hard problem is one which is not computationally infeasible to solve, but also not easy. They propose an elegant timing mechanism based on modular exponentiation, which is a problem believed not to be well suited for ....

....however, the timed release is a one way operation, from a signer to a receiver, and cannot be directly applied to achieve a fair exchange. We answer this challenge by introducing a new time structure, which we call a mirrored time line. In a nutshell, Garay and Jakobsson called a time line the [BN00] structure (vector) of the form: i=0 (modN) 1) for N a Blum integer and generator g satisfying certain properties, and used an undisclosed value in the vicinity of the kth point (specifically, the kth point s square root) as the signature s blinding factor. A mirrored time line is basically ....

[Article contains additional citation context not shown here]

D. Boneh and M. Naor. Timed commitments (extended abstract). In Advances in Cryptology--- CRYPTO '00, volume 1880 of Lecture Notes in Computer Science, pages 236--254. SpringerVerlag, 2000.

....fair exchange protocols have been proposed. These protocols ensure that either both parties receive what they expected or nobody gains anything valuable. However, this kind of fairness has to be realized with a trusted third party (also called trustee or TTP) as protocols without a TTP (e.g. [EGL82,BOGMR90, Jak95, BN00]) cannot guarantee this strong notion of fairness [EY80] A simple fair exchange solution is an active TTP that is involved in every exchange (e.g. BP90, Tyg96, CHTY96, ZG96, FR97] Much more e cient are optimistic protocols [ASW97] in which the TTP only has to participate if a con ict has to ....

Dan Boneh and Moni Naor. Timed commitments. In Advances in Cryptology pages 236254, Santa Barbara, CA, 2000. Springer-Verlag.

....and Yacobi [EY80] who proved that fairness is impossible in a deterministic 2 party contract signing protocol. Since then, there have been proposed randomized contract signing protocols based on a computational de nition of fairness [Eve82,EGL85] protocols based on gradual release of commitments [Dam95,BN00], as well as non probabilistic contract signing protocols that make optimistic use of the trusted third party (a.k.a. judge) In an optimistic protocol, the trusted third party is invoked only if one of the participants misbehaves [ASW00,GJM99] In this paper, we focus on probabilistic contract ....

D. Boneh and M. Naor. Timed commitments. In Proc. CRYPTO'00, volume 1880 of LNCS, pages 236-254. Springer-Verlag, 2000.

....TTP during the transaction when the parties behave correctly and the network functions, but to invoke the TTP to complete the protocol in case of problems with one of the parties or the network. Such protocols are said to be optimistic. Fair exchange protocols without TTP have also been proposed [9, 20, 27, 28]. However the last two are based on an unpractical de nition of fairness (as we will see below) and the others adopt a probabilistic approach towards fairness. Independently of the way a TTP is (or is not) used, several categories of exchange protocols exist, depending on the information to be ....

D. Boneh and M. Naor. Timed commitments. In Advances in Cryptology: Proceedings of Crypto 2000, volume 1880 of Lecture Notes in Computer Science, pages 236-254. Springer-Verlag, 2000.

....payment. Their method allows to recover the original client s signature from the committed one, using designated convertible signatures [9] They also proposed a concrete protocol based on the RSA signature scheme. Though some fair exchange protocols without a TTP have already been proposed [7, 19 21] (implying often some communication and computation overheads) In this paper, we propose a new protocol that allow the exchange of an item against a signature while assuring fairness. The protocol, based on the GiraultPoupard Stern (GPS) signature scheme [12, 16] a variation of the Schnorr ....

D. Boneh and M. Naor. Timed commitments. In Advances in Cryptology: Proceedings of Crypto 2000, volume 1880 of Lecture Notes in Computer Science, pages 236-254. Springer-Verlag, 2000.

....were suggested by other researchers [12, 14, 20] All these protocols are fair in the sense that if one of the parties defaults then it does not have a considerable advantage over the other party, since it knows at most one more bit than the other party. The recent work of Boneh and Naor [9] provides better fairness since it ensures that neither party can parallelize its e#ort to compute the bits that are unknown to it. The main drawback of these protocols is the large number of rounds that they require (approximately as many rounds as the length of a security parameter, namely the ....

D. Boneh and M. Naor. Timed commitments (extended abstract). In M. Bellare, editor, CRYPTO'00. Springer-Verlag, 2000.

....that will yield a predictable result. Various approaches to this capability have been published. In [9] the committed unpredictability comes from a long delaying calculation on the result of a (fast) combination of the inputs from participants. Another similar scheme is given in [23] Both [4] and [23] give commitment schemes that are individual, as here; 4] also describes a zero knowledge proof of a well formed commitment. 10] further expands and develops the work in [9] and [23] We follow the individual commitment approach of [10, 23] because it is both shortcut computable and ....

....capability have been published. In [9] the committed unpredictability comes from a long delaying calculation on the result of a (fast) combination of the inputs from participants. Another similar scheme is given in [23] Both [4] and [23] give commitment schemes that are individual, as here; [4] also describes a zero knowledge proof of a well formed commitment. 10] further expands and develops the work in [9] and [23] We follow the individual commitment approach of [10, 23] because it is both shortcut computable and easily commitment veri able. Anyone possessing a secret (in this ....

[Article contains additional citation context not shown here]

Dan Boneh and Moni Naor. Timed commitments. In Advances in Cryptology { CRYPTO 2000, LNCS Vol. 1880, pages 236-254. Springer-Verlag, 2000.

....and developing suitable primitives, for which good lower bounds can be developed. Another avenue of research relates to applications that use timed mechanisms. This paper makes progress in both of these areas by extending the recent work of Boneh and Naor on timed commitments and timed signatures [BN00] to (1) allow for the reuse of their proposed timed structure, thus achieving lower session costs, and (2) allow for the robust timed release of standard signatures. Background and motivation. We will follow the convention and refer to schemes with a moderately hard computational trigger as ....

....time than to CPU time. For this purpose, problems based on modular exponentiation are believed to be good, as considerable e ort has been invested in nding ecient exponentiation algorithms, and it is believed to be a problem not well suited for parallelization. For this reason, and following [RSW96, BN00], we base our work on iterated squaring. While the computational lower bounds for the problem solver are paramount, and have been the focus of previous research, the computational costs of the problem generator (resp. the solution veri er) have not received the same attention. One focus of our ....

[Article contains additional citation context not shown here]

Dan Boneh and Moni Naor. Timed commitments (extended abstract). In Advances in Cryptology|CRYPTO '00, volume 1880 of Lecture Notes in Computer Science, pages 236-254. Springer-Verlag, 2000.

....has depth O(n= log log n) where n = log p [32] Thus, given the current state of knowledge on this problem and the related modular exponentiation problem, it is reasonable to assume that they are not in NC. In fact, this assumption (for the exponentiation problem) has been explicitly relied on in [16]. It is easy to see that deciding quadratic residuosity modulo p can be very efficiently reduced to computing the monotone function defined by NQRP p . However, there is a major difference between the standard algorithmic setting for this problem and our setting. Our setting is highly ....

D. Boneh and M. Naor. Timed commitments. In Advances in Cryptology -- CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 236--254. Springer-Verlag, 2000.

No context found.

D. Boneh, M. Naor, Timed commitments (extended abstract), in: Advances in Cryptology - CRYPTO

No context found.

D. Boneh and M. Naor. Timed commitments. In CRYPTO 2000, pp. 236--254.

No context found.

D. Boneh and M. Naor. Timed commitments. In Advances in Cryptology: Proceedings of Crypto 2000, volume 1880 of Lecture Notes in Computer Science, pages 236--254. Springer-Verlag, 2000.

No context found.

D. Boneh and M. Naor. Timed commitments (extended abstract). In Advances in Cryptology --- Crypto'2000.

No context found.

D. Boneh and M. Naor. Timed Commitments (Extended Abstract). In Proceedings of CRYPTO, pages 236--254, August 2000.

No context found.

D. Boneh and M. Naor, Timed Commitments, Crypto'00.

No context found.

D. Boneh and M. Naor. Timed commitments (extended abstract). In Advances in Cryptology|CRYPTO '00, volume 1880 of Lecture Notes in Computer Science, pages 236-254. Springer-Verlag, 2000.

No context found.

D. Boneh and M. Naor. Timed commitments. In M. Bellare, editor, Advances in Cryptology: Proceedings of Crypto 2000.

No context found.

D. Boneh and M. Naor, Timed commitments, in M. Bellare (ed.), Crypto 2000, Springer LNCS 1880, (2000) 236-254.

No context found.

D. Boneh and M. Naor. Timed commitments (extended abstract). In Advances in Cryptology--- CRYPTO '00, volume 1880 of Lecture Notes in Computer Science, pages 236--254, Springer-Verlag, 2000.

No context found.

D. Boneh and M. Naor. Timed commitments. In Proc. CRYPTO 2000.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC