Results 1  10
of
62
Secure communications over insecure channels based on short authenticated strings
 In Advances in Cryptology (Crypto) (2005
"... Abstract. We propose a way to establish peertopeer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SASbased authentication as for authentication based on Short Authenticated Strings. The extra ch ..."
Abstract

Cited by 115 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a way to establish peertopeer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SASbased authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modi£ed, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to publickey infrastructures, since we no longer need any central authority, and to passwordbased authenticated key exchange, since we no longer need to establish a con£dential password. It can be used to establish secure associations in adhoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the useraided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his longterm keys corrupted.
On Obfuscating Point Functions
, 2005
"... We study the problem of obfuscation in the context of point functions (also known as delta functions). ..."
Abstract

Cited by 72 (2 self)
 Add to MetaCart
We study the problem of obfuscation in the context of point functions (also known as delta functions).
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 53 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
Onetime programs
 In Advances in Cryptology – CRYPTO ’08
, 2008
"... Abstract. In this work, we introduce onetime programs, a new computational paradigm geared towards security applications. A onetime program can be executed on a single input, whose value can be specified at run time. Other than the result of the computation on this input, nothing else about the pr ..."
Abstract

Cited by 53 (8 self)
 Add to MetaCart
(Show Context)
Abstract. In this work, we introduce onetime programs, a new computational paradigm geared towards security applications. A onetime program can be executed on a single input, whose value can be specified at run time. Other than the result of the computation on this input, nothing else about the program is leaked. Hence, a onetime program is like a black box function that may be evaluated once and then “self destructs. ” This also extends to ktime programs, which are like black box functions that can be evaluated k times and then self destruct. Onetime programs serve many of the same purposes of program obfuscation, the obvious one being software protection, but also including applications such as temporary transfer of cryptographic ability. Moreover, the applications of onetime programs go well beyond those of obfuscation, since onetime programs can only be executed once (or more generally, a limited number of times) while obfuscated programs have no such bounds. For example, onetime programs lead naturally to electronic
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
BoundedConcurrent Secure TwoParty Computation in a Constant Number of Rounds
 In 44th FOCS
, 2003
"... We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is construct ..."
Abstract

Cited by 45 (15 self)
 Add to MetaCart
(Show Context)
We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is constructed (a.k.a. bounded concurrency). We make no setup assumptions. Lindell (STOC 2003) has shown that any protocol for boundedconcurrent secure twoparty computation, whose security is established via blackbox simulation, must have round complexity that is strictly larger than the bound on the number of concurrent sessions. In this paper, we construct a (non blackbox) protocol for realizing boundedconcurrent secure twoparty computation in a constant number of rounds. The only previously known protocol for realizing the above task required more rounds than the prespecified bound on the number of sessions (despite usage of non blackbox simulation techniques). Our constructions rely on the existence of enhanced trapdoor permutations, as well as on the existence of hash functions that are collisionresistant against subexponential sized circuits. 1
How to play almost any mental game over the net  concurrent composition via superpolynomial simulation
 In Proceedings of the 46th Annual Symposium on Foundations of Computer Science  FOCS’05
, 2005
"... We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted parties, common reference string, honest majority or synchronicity of the network. The relaxation of security is obtained by allowing the idealmodel simulator to run in quaipolynomial (as opposed to polynomial) time. Quasipolynomial simulation suffices to ensure security for most applications of multiparty computation. Furthermore, Lindell (FOCS ’03, TCC ’ 04) recently showed that such a protocol is impossible to obtain under the more standard definition of polynomialtime simulation by an ideal adversary.
ProofCarrying Data and Hearsay Arguments from Signature Cards
"... Design of secure systems can often be expressed as ensuring that some property is maintained at every step of a distributed computation among mutuallyuntrusting parties. Special cases include integrity of programs running on untrusted platforms, various forms of confidentiality and sidechannel res ..."
Abstract

Cited by 21 (9 self)
 Add to MetaCart
Design of secure systems can often be expressed as ensuring that some property is maintained at every step of a distributed computation among mutuallyuntrusting parties. Special cases include integrity of programs running on untrusted platforms, various forms of confidentiality and sidechannel resilience, and domainspecific invariants. We propose a new approach, proofcarrying data (PCD), which circumnavigates the threat of faults and leakage by reasoning about properties of the output data, independently of the preceding computation. In PCD, the system designer prescribes the desired properties of the computation’s outputs. Corresponding proofs are attached to every message flowing through the system, and are mutually verified by the system’s components. Each such proof attests that the message’s data and all of its history comply with the specified properties. We construct a general protocol compiler that generates, propagates and verifies such proofs of compliance, while preserving the dynamics and efficiency of the original computation. Our main technical tool is the cryptographic construction of short noninteractive arguments (computationallysound proofs) for statements whose truth depends on “hearsay evidence”: previous arguments about other statements. To this end, we attain a particularly strong proof of knowledge. We realize the above, under standard cryptographic assumptions, in a model where the prover has blackbox access to some simple functionality — essentially, a signature card.
Incrementally verifiable computation or proofs of knowledge imply time/space efficiency
 In Proceedings of the 5th Theory of Cryptography Conference, TCC ’08
, 2008
"... Abstract. A probabilistically checkable proof (PCP) system enables proofs to be verified in time polylogarithmic in the length of a classical proof. Computationally sound (CS) proofs improve upon PCPs by additionally shortening the length of the transmitted proof to be polylogarithmic in the length ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A probabilistically checkable proof (PCP) system enables proofs to be verified in time polylogarithmic in the length of a classical proof. Computationally sound (CS) proofs improve upon PCPs by additionally shortening the length of the transmitted proof to be polylogarithmic in the length of the classical proof. In this paper we explore the ultimate limits of noninteractive proof systems with respect to time and space efficiency. We present a proof system where the prover uses space polynomial in the space of a classical prover and time essentially linear in the time of a classical prover, while the verifier uses time and space that are essentially constant. Further, this proof system is composable: there is an algorithm for merging two proofs of length k into a proof of the conjunction of the original two theorems in time polynomial in k, yielding a proof of length exactly k. We deduce the existence of our proposed proof system by way of a natural new assumption about proofs of knowledge. In fact, a main contribution of our result is showing that knowledge can be “traded” for time and space efficiency in noninteractive proof systems. We motivate this result with an explicit construction of noninteractive CS proofs of knowledge in the random oracle model. 1
Optimistic fair exchange in a multiuser setting
 In PKC07, volume 4450 of LNCS
"... Abstract: This paper addresses the security of optimistic fair exchange in a multiuser setting. While the security of public key encryption and public key signature schemes in a singleuser setting guarantees the security in a multiuser setting, we show that the situation is different in the optim ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Abstract: This paper addresses the security of optimistic fair exchange in a multiuser setting. While the security of public key encryption and public key signature schemes in a singleuser setting guarantees the security in a multiuser setting, we show that the situation is different in the optimistic fair exchange. First, we show how to break, in the multiuser setting, an optimistic fair exchange scheme provably secure in the singleuser setting. This example separates the security of optimistic fair exchange between the singleuser setting and the multiuser setting. We then define the formal security model of optimistic fair exchange in the multiuser setting, which is the first complete security model of optimistic fair exchange in the multiuser setting. We prove the existence of a generic construction meeting our multiuser security based on oneway functions in the random oracle model and trapdoor oneway permutations in the standard model. Finally, we revisit two wellknown methodologies of optimistic fair exchange, which are based on the verifiably encrypted signature and the sequential twoparty multisignature, respectively. Our result shows that these paradigms remain valid in the multiuser setting.