R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Proc. of CRYPTO 1994, the 14th Ann. Intl. Cryptology Conf., vol. 839 of Lecture Notes in Computer Science, pp. 425--438. Aug. 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of the memory cells with s , and output y. It is crucial that the circuit C 0 ] contain 2t 1 disjoint copies of G, executing in parallel and sharing no wires or gates. Our construction is related to the method for distributed pseudorandomness generation with proactive security from [10]. For lack of space, the proof of Theorem 6 is omitted here. Theorem 6. If G is a secure PRG, then the stateful deterministic circuit C 0 ] defined above is a computationally t private transformation of the circuit C defined above. Application: eliminating randomness gates. One application ....

R. Canetti and A. Herzberg. Maintaining Security in the Presence of Transient Faults. In CRYPTO 1994, pages 425-438.

....threshold k of simultaneously faulty servers) and used the availability of huge majority of honest servers to achieve the very general task of secure computation in the information theoretic sense. The same mobile adversary model was then used in a more practical setting by Canetti and Herzberg [CH94] who proactively maintained a local pseudorandom number generators of n servers. 1.4 Organization of the Thesis In chapter 2 we describe our computational model: the requirements we impose on secret sharing servers and the network that connects them, the bounds on the adversary against which ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. Advances in Cryptology - CRYPTO, LNCS 839:425--438, 1994.

....depend on securely synchronized clocks, to ensure that the maintenance protocols are indeed performed periodically. There is substantial amount of research on proactive security, including basic services such as agreement [24] secret sharing [23, 17] signatures e.g. 16] and pseudo randomness [4, 5]; see survey in [3] However, all of the results so far assumed that clocks are synchronized. Our work therefore provides a missing foundation to these and future proactive security works. 1.1 Relations to prior work There is a very large body of research on clock synchronization, much of it ....

R. Canetti and A. Herzberg, Maintaining Security in the Presence of Transient Faults, Proceedings of Crypto' 94, pages 425--438, August 1994.

....Reischuk [14] The author designed a (sub optimal) Byzantine agreement protocol able to tolerate them as long as they remain stationary for a given interval of time. More recently, Ostrovsky and Yung [12] proposed randomized methods to withstand the attack of mobile viruses. Canetti and Herzberg [3] use # Partially supported by the Dutch foundation for scientific research (NWO) through NFI Project ALADDIN, under contract number NF 62 376. E mail: burman,jhh cwi.nl. Work partially done while the author was visiting CWI. garay watson.ibm.com. cryptographic techniques to achieve secure ....

R. Canetti and A. Herzberg, "Maintaining Security in the Presence of Transient Faults," Proc. Advances in Cryptology---Crypto '94, pp. 425-438, LNCS (839), Springer Verlag, August 1994.

....a new message of its choice. An important property of threshold signature schemes is robustness, which requires that even t malicious parties that deviate from the protocol cannot prevent it from generating a valid signature. Another useful property of a threshold signature scheme is proactivness [OY, CH] (or periodic refreshment of shares of a secret) whose goal is to protect a system from an adversary that builds up knowledge of a secret by several attempted break ins to several locations. In general, the main goals of threshold signature constructions are to provably achieve the following ....

....As opposed to multisignatures, a threshold signature does not reveal identities of individual signers. Another di erence is that the veri cation protocol of a threshold signature scheme does not depend on the current subgroup of signers. Multisignatures are also di erent from group signatures [CH, CS] and ring signatures [RST] where every individual member of the group can produce a valid signature on behalf of the whole group. In the latter two settings a signer remains anonymous with respect to a veri er. In the group signature setting there is also a third party called a group manager ....

R. Canetti and A. Herzberg, \ Maintaining security in the presence of transient faults," Advances in Cryptology { Crypto '94, LNCS Vol. 839, Y. Desmedt ed., Springer-Verlag, 1994.

.... introduced in [21] allows to consider protocols which remain secure even in case the adversary may seize control of all sites during the execution (but never control concurrently, say, more than 33 of the sites) We comment that schemes secure in this model were later termed proactive (cf. [6]) We next mention some of the models for which general secure multi party computation is known to be attainable. ffl Assuming the existence of trapdoor permutations, secure multi party computation is possible in the following models (cf. 16] and [14] 1. Passive adversary, for any number of ....

....secure multi party computation typically assumes that the parties know who they are talking to (i.e. the channels between them are authenticated) In the traditional setting, this assumption can be easily justified by using publickey cryptosystems. The current work deals with a setting (as in [21, 6]) in which an adversary may temporarily gain control of all network sites, provided it never controls too many sites concurrently. The work shows how to maintain authenticated communication in such an setting. Randomness versus Fault Tolerance (by Canetti, Kushilevitz, Ostrovsky, and Rosen) This ....

R. Canetti and A. Herzberg. Maintaining Security in the Presence of Transient Faults. In Crypto94, Springer-Verlag LNCS (Vol. 839), pages 425--439.

....The administrative public key is known to other administrators (and all servers) the administrative private key, kept o# line most of the time as a defense against on line attacks, is used to sign notification message for the new public server public key. Other rekeying schemes are discussed in [9]. Public keys of COCA servers are not given to COCA clients so that clients need not be informed of changed server keys attractive in a system with a large number of clients and where server keys are periodically refreshed. Service Key. There is one service private public key pair. It is used ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Y. Desmedt, editor, Advances in Cryptology---Crypto'94, the 47 14th Annual International Cryptology Conference, Santa Barbara, CA USA, August 21--25,

....23] This pioneering work leaves the door open for practical solutions to achieve proactive security, with its focus on general but impractical secure multi party protocols. Besides proactive secret sharing and proactive threshold cryptography, other proactive schemes have also been proposed. In [13], Canetti shows how to construct a proactive pseudo random generator with application to secure sign on. In [25] a proactive protocol for generating cryptographically secure pseudo random numbers is presented. In [12] Canetti presents a proactive scheme for maintaining authenticated and secure ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Y. Desmedt, editor, Advances in Cryptology---Crypto'94, the 14th Annual International Cryptology Conference, Santa Barbara, CA USA, August 21--25,

....technical tool. 2.2 A technical tool: forward secure prg s The key refreshment (or key evolving) paradigm of forward secure signatures is useful for many other cryptographic primitives with di erent security implications depending on the application. Examples include proactive systems (e.g. [16, 6, 15]) and key exchange protocols with key expiration and the related notion of perfect forward secrecy [9] In our construction of forward secure signatures we use forward secure pseudorandom generators. Such generators have been used in di erent contexts, e.g. 2, 6] and have simple realizations ....

....proactive systems (e.g. 16, 6, 15] and key exchange protocols with key expiration and the related notion of perfect forward secrecy [9] In our construction of forward secure signatures we use forward secure pseudorandom generators. Such generators have been used in di erent contexts, e.g. [2, 6], and have simple realizations based on regular pseudorandom generators or pseudorandom functions. A formalization of this notion can be found in [4] Here we describe them informally and point to one simple (generic) construction (other implementations are possible) A forward secure ....

[Article contains additional citation context not shown here]

Canetti, R., and Herzberg, A., \Maintaining Security in the Presence of Transient Faults", Advances in Cryptology { CRYPTO 94 Proceedings, Lecture Notes in Computer Science Vol. 839, Springer-Verlag, Y. G. Desmedt, ed, 1994, pp. 425-438.

....thereby to signi cantly reduce the communication overhead caused by them. The techniques presented in this section apply to many applications in several models, including those relying on intractability assumptions. The adversary can be static or adaptive, but not mobile: A mobile adversary [OY91,CH94] may release some of the corrupted players during the protocol execution and thereby regain the capability of corrupting new players, which contradicts the idea of elimination of corrupted players. 2.2 Incorporating Resilience into a Private Protocol We consider a private protocol that proceeds ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Advances in Cryptology | CRYPTO '94, vol. 839 of LNCS, pp. 425-438, 1994.

....is running for a relatively long time, it will be unreasonable to assume any limit on the overall number of parties that can be broken into throughout the lifetime of the system. We only assume, then, that not too many parties are broken into at the same time. Following the proactive approach in [18, 10, 15] we introduce periodical, short refreshment phases, during which the parties jointly try to refresh their keys and regain security. Let a time unit denote the time between two consecutive refreshment phases. We assume that the number of parties which are broken into during a single time unit is ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Proceedings of CRYPTO'94.

No context found.

R. Canetti and A. Herzberg. Maintaining Security in the Presence of Transient Faults. In Crypto94, Springer-Verlag Lecture Notes in Computer Science (Vol. 839), pages 425--439.

No context found.

R. Canetti and A. Herzberg. Maintaining Security in the Presence of Transient Faults. In Crypto94, Springer-Verlag Lecture Notes in Computer Science (Vol. 839), pages 425--439.

.... have been devised for the following problems: S Secret sharing [21,16] S Discrete log based digital signatures [15] and in particular DSA [13] S Secure end to end communication [5] S RSA [10,11,24] and in particular generation of the RSA shared key [3] S Pseudo random generation [6,8] S Key distribution center [20] This substantial set of known results in proactive security did not yet produce any practical security product or solution. In fact, there are only a few deployments of distributed security the most well known may be the SET credit card standard s certificate ....

....proactively secure systems do not wait until a break in is detected. Instead, a proactively secure system invokes the refreshment protocol periodically (and proactively) in order to maintain uninterrupted security, or force detection. For more discussion on the motivation behind this model, see [4,5,6,16]. Some attacks on the system cannot be prevented. The classical example is if the attacker is breaking into a server, thereby finding all its secret keys; it then pretends to be that server while keeping this server disconnected from the other servers (when the attacker lost control over that ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Crypto' 94, pp. 425-438, August, 1994.

....the [7, 9] definitions incorporate additional structure for better capturing this concern. For sake of simplicity, our definition does not contain this structure. Yet, in some scenarios putting trust in internal erasures is reasonable and necessary. An example is the case of proactive security [29, 10], where the parties are servers controlled by a single authority, and use erasures to maintain security in the face of repeated break ins. In such case A learns only the corrupted party s current state. 26 We remark that the amount of information seen by the adversary upon corrupting a party is ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Proceedings of CRYPTO'94.

....broadcast channel, where it is guaranteed that any message that is received by one party is received by all parties. Also, the setting where the adversary is probabilistic polynomial time and learns only messages sent to corrupted parties is often convenient for designing protocols (e.g. [f87, ch94, gjkr96, g98, r98]) The definitions can be easily adapted to these settings. In all the above models, we concentrate on the case of honest majority, where strictly less than half of the parties are corrupted at any time. When half or more of the parties are corrupted the definition has to be weakened somewhat. ....

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Proceedings of CRYPTO'94, LNCS 839, Springer-Verlag, 1994.

....any information about the cleartext. This functionality has been introduced and (very different) constructions were given in [7] This variant is secure against lunch time attacks only. Proactiveness. Our techniques can be proactivized (i.e. modified to withstand mobile faults, as suggested in [34, 11]) in standard ways [29] See more discussion in [12] 2 Security of threshold cryptosystems We present a measure of security of threshold PKCs. Our formalization is geared towards capturing the security requirements that emerge when using the system as a service in a complex and unpredictable ....

R. Canetti and A. Herzberg, "Maintaining security in the presence of transient faults", CRYPTO'94, 1994.

No context found.

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Proc. of CRYPTO 1994, the 14th Ann. Intl. Cryptology Conf., vol. 839 of Lecture Notes in Computer Science, pp. 425--438. Aug. 1994.

No context found.

R. Canetti and A. Herzberg, "Maintaining Security in the Presence of Transient Faults," Advances in Cryptology: Proc. 14th Int'l Cryptology Conf., LNCS 839, Y. Desmedt, ed., Springer-Verlag, 1994, pp. 425--438.

No context found.

R. Canetti and A. Herzberg. Maintaining Security in the Presence of Transient Faults. In Crypto94, Springer-Verlag Lecture Notes in Computer Science (Vol. 839), pages 425-439.

No context found.

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Y. Desmedt, editor, Advances in CryptologyCrypto'94, the 14th Annual International Cryptology Conference, Santa Barbara, CA USA, August 2125, 1994.

No context found.

Ran Canetti and Amir Herzberg. Maintaining security in the presence of transient faults. In Yvo Desmedt, editor, Advances in Cryptology - Crypto '94, pages 425--438, Berlin, 1994. Springer-Verlag. Lecture Notes in Computer Science Volume 839.

No context found.

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In CRYPTO'94, pages 425-- 438.

No context found.

R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. In Y. Desmedt, editor, Advances in Cryptology---Crypto'94, the 14th Annual International Cryptology Conference, Proceedings, volume 839 of Lecture Notes in Computer Science, pages 425--438, Berlin, Germany, 1994. Springer-Verlag.

No context found.

R. Canetti and Amir Herzberg. Maintaining security in the presence of transient faults. Crypto '94, pages 425--438, 1994. Springer-Verlag. LNCS No. 839.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC