Results 11  20
of
62
Constantround concurrent zero knowledge from falsifiable assumptions
, 2012
"... We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly s ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali’s noninteractive CSproofs are sound for languages in P.
A noninteractive shuffle with pairing based verifiability
 In proceedings of ASIACRYPT ’07, LNCS series
, 2007
"... A shuffle is a permutation and reencryption of a set of ciphertexts. Shuffles are for instance used in mixnets for anonymous broadcast and voting. One way to make a shuffle verifiable is to give a zeroknowledge proof of correctness. All currently known practical zeroknowledge proofs for correctne ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
A shuffle is a permutation and reencryption of a set of ciphertexts. Shuffles are for instance used in mixnets for anonymous broadcast and voting. One way to make a shuffle verifiable is to give a zeroknowledge proof of correctness. All currently known practical zeroknowledge proofs for correctness of a shuffle rely on interaction. We give the first efficient noninteractive zeroknowledge proof for correctness of a shuffle.
Authentication protocols based on lowbandwidth unspoofable channels: a comparative survey
, 2009
"... unspoofable channels: a comparative survey ..."
(Show Context)
Universally Composable ZeroKnowledge Arguments and Commitments from Signature Cards
 IN PROC. OF THE 5TH CENTRAL EUROPEAN CONFERENCE ON CRYPTOLOGY MORAVIACRYPT 2005
, 2005
"... In the Universal Composability framework many cryptographic tasks cannot be built from scratch. Additional “helping ” functionalities are needed to realise zeroknowledge or bit commitment. However, all the additional functionalities presented in the literature so far have to be specially designed a ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
In the Universal Composability framework many cryptographic tasks cannot be built from scratch. Additional “helping ” functionalities are needed to realise zeroknowledge or bit commitment. However, all the additional functionalities presented in the literature so far have to be specially designed as a “helping ” functionality and cannot directly serve any other purpose without endangering the universal composability. In this work, we introduce the concept of catalysts. Informally a functionality C is a catalyst for a functionality F if F can be implemented given the primitive C and the functionality C can still directly be used by other applications without any additional precautions. We prove that catalysts exist for zeroknowledge and bit commitment. And, what is more, we show that a signature card, which is in accordance with the German law [Bun01] can be used as such a catalyst.
Deniable Authentication and Key Exchange
 Proceedings of the 13th ACM conference on Computer and communications security. 400–409
, 2006
"... Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable keyexchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchan ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable keyexchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchange (IKE) protocol. The two protocols require distinct approaches to their deniability analysis, hence highlighting important definitional issues as well as necessitating different tools in the analysis. SKEME is an encryptionbased protocol for which we prove full deniability based on the plaintext awareness of the underlying encryption scheme. Interestingly SKEME’s deniability is possibly the first “natural ” application which essentially requires plaintext awareness (until now this notion has been mainly used as a tool for proving chosenciphertext security); in particular this use of plaintext awareness is not tied to the random oracle model. SIGMA, on the other hand, uses nonrepudiable signatures for authentication and hence cannot be proven to be fully deniable. Yet we are able to prove a weaker, but meaningful, “partial deniability ” property: a party may not be able to deny that it was “alive ” at some point in time but can fully deny the contents of its communications and the identity of its interlocutors. We remark that the deniability of SKEME and SIGMA holds in a concurrent setting and does not essentially rely on the random oracle model.
How to Build a Hash Function from any CollisionResistant Function
, 2007
"... Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provab ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Recent collisionfinding attacks against hash functions such as MD5 and SHA1 motivate the use of provably collisionresistant (CR) functions in their place. Finding a collision in a provably CR function implies the ability to solve some hard problem (e.g., factoring). Unfortunately, existing provably CR functions make poor replacements for hash functions as they fail to deliver behaviors demanded by practical use. In particular, they are easily distinguished from a random oracle. We initiate an investigation into building hash functions from provably CR functions. As a method for achieving this, we present the MixCompressMix (MCM) construction; it envelopes any provably CR function H (with suitable regularity properties) between two injective “mixing” stages. The MCM construction simultaneously enjoys (1) provable collisionresistance in the standard model, and (2) indifferentiability from a monolithic random oracle when the mixing stages themselves are indifferentiable from a random oracle that observes injectivity. We instantiate our new design approach by specifying a blockcipherbased construction that
New approaches for deniable authentication
 In Proceedings of the 12th ACM conference on Computer and communications security
, 2005
"... Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We present two new approaches to the problem of deniable authentication. The novelty o ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We present two new approaches to the problem of deniable authentication. The novelty of our schemes is that they do not require the use of CCAsecure encryption (all previous known solutions did), thus showing a different generic approach to the problem of deniable authentication. These new approaches are practically relevant as they lead to more efficient protocols. In the process we point out a subtle definitional issue for deniability. In particular we propose the notion of forward deniability, which requires that the authentications remain deniable even if the Sender wants to later prove that she authenticated a message. We show that a simulationbased definition of deniability, where the simulation can be computationally indistinguishable from the real protocol does not imply forward deniability. Thus for deniability one needs to restrict the simulation to be perfect (or statistically close). Our new protocols satisfy this stricter requirement. 1
Composability and OnLine Deniability of Authentication
"... Abstract. Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and s ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and study online deniability, where deniability should hold even when one of the parties colludes with a third party during execution of the protocol. This turns out to generalize several realistic scenarios that are outside the scope of previous models. We show that a protocol achieves our definition of online deniability if and only if it realizes the message authentication functionality in the generalized universal composability framework; any protocol satisfying our definition thus automatically inherits strong composability guarantees. Unfortunately, we show that our definition is impossible to realize in the PKI model if adaptive corruptions are allowed (even if secure erasure is assumed). On the other hand, we show feasibility with respect to static corruptions (giving the first separation in terms of feasibility between the static and adaptive setting), and show how to realize a relaxation termed deniability with incriminating abort under adaptive corruptions. 1
Random Oracles and Auxiliary Input ⋆
"... Abstract. We introduce a variant of the random oracle model where oracledependent auxiliary input is allowed. In this setting, the adversary gets an auxiliary input that can contain information about the random oracle. Using simple examples we show that this model should be preferred over the class ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a variant of the random oracle model where oracledependent auxiliary input is allowed. In this setting, the adversary gets an auxiliary input that can contain information about the random oracle. Using simple examples we show that this model should be preferred over the classical variant where the auxiliary input is independent of the random oracle. In the presence of oracledependent auxiliary input, the most important proof technique in the random oracle model—lazy sampling—does not apply directly. We present a theorem and a variant of the lazy sampling technique that allows one to perform proofs in the new model almost as easily as in the old one. As an application of our approach and to illustrate how existing proofs can be adapted, we prove that
Honest verifier zeroknowledge arguments applied
 DISSERTATION SERIES DS043, BRICS, 2004. PHD THESIS. XII+119
, 2004
"... ..."