Results 11  20
of
117
Efficient Cryptographic Protocols based on Noisy Channels
, 1996
"... The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a c ..."
Abstract

Cited by 68 (0 self)
 Add to MetaCart
The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires\Omega\Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O(n 3 ) bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [1] that allow two people to extract secret information from partially compromised data. 1 Introduction The cryptographic power of...
From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again
 In Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS '12
, 2012
"... The existence of noninteractive succinct arguments (namely, noninteractive computationallysound proof systems where the verifier’s time complexity is only polylogarithmically related to the complexity of deciding the language) has been an intriguing question for the past two decades. The question ..."
Abstract

Cited by 63 (18 self)
 Add to MetaCart
(Show Context)
The existence of noninteractive succinct arguments (namely, noninteractive computationallysound proof systems where the verifier’s time complexity is only polylogarithmically related to the complexity of deciding the language) has been an intriguing question for the past two decades. The question has gained renewed importance in light of the recent interest in delegating computation to untrusted workers. Still, other than Micali’s CS proofs in the Random Oracle Model, the only existing candidate construction is based on an elaborate assumption that is tailored to the specific proposal [Di Crescenzo and Lipmaa, CiE ’08]. We modify and reanalyze that construction: • We formulate a general and relatively mild notion of extractable collisionresistant hash functions (ECRHs), and show that if ECRHs exist then the modified construction is a noninteractive succinct argument (SNARG) for NP. Furthermore, we show that (a) this construction is a proof of knowledge, and (b) it remains secure against adaptively chosen instances. These two properties are arguably essential for using the construction as a delegation of computation scheme. • We show that existence of SNARGs of knowledge (SNARKs) for NP implies existence of ECRHs, as well as extractable variants of some other cryptographic primitives. This provides further evi
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 62 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
Possibility and impossibility results for encryption and commitment secure under selective opening
 in A. Joux (Ed.), Advances in Cryptology—EUROCRYPT 2009
, 2009
"... Abstract. The existence of encryption and commitment schemes secure under selective opening attack (SOA) has remained open despite considerable interest and attention. We provide the first public key encryption schemes secure against sender corruptions in this setting. The underlying tool is lossy ..."
Abstract

Cited by 57 (12 self)
 Add to MetaCart
(Show Context)
Abstract. The existence of encryption and commitment schemes secure under selective opening attack (SOA) has remained open despite considerable interest and attention. We provide the first public key encryption schemes secure against sender corruptions in this setting. The underlying tool is lossy encryption. We then show that no noninteractive or perfectly binding commitment schemes can be proven secure with blackbox reductions to standard computational assumptions, but any statistically hiding commitment scheme is secure. Our work thus shows that the situation for encryption schemes is very different from the one for commitment schemes. 1
New and improved constructions of nonmalleable cryptographic protocols
 In 37th Annual ACM Symposium on Theory of Computing
, 2005
"... We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions eith ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
(Show Context)
We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions either relied on the existence of trapdoor permutations and hash functions that are collision resistant against subexponential sized circuits, or required a superconstant number of rounds. Additional results are the first construction of a nonmalleable commitment scheme that is statistically hiding (with respect to opening), and the first nonmalleable commitments that satisfy a strict polynomialtime simulation requirement. Our approach differs from the approaches taken in previous works in that we view nonmalleable zeroknowledge as a buildingblock rather than an end goal. This gives rise to a modular construction of nonmalleable commitments and results in a somewhat simpler analysis.
Simulation in quasipolynomial time, and its application to protocol composition
 In EUROCRYPT
, 2003
"... Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concur ..."
Abstract

Cited by 49 (13 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concurrent quasipolynomial time simulatable arguments and show that such arguments can be used in advanced composition operations without any setup assumptions. Our protocols rely on slightly strong, but standard type assumptions (namely the existence of onetoone oneway functions secure against subexponential circuits). 1
Concurrent nonmalleable commitments
 In FOCS
, 2005
"... We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
(Show Context)
We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a receiver, cannot make the values he commits to depend on the values he receives commitments to. Our result is achieved without assuming an apriori bound on the number of executions and without relying on any setup assumptions. Our construction relies on the existence of standard clawfree permutations and only requires a constant number of communication rounds. 1
Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer
, 1999
"... We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup ..."
Abstract

Cited by 42 (0 self)
 Add to MetaCart
(Show Context)
We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a &quot;trusted initializer &quot; who participates only in an initial setup phase. The scheme also utilizes private channels between each pair of parties. The Sender is able to easily commit to a large value; the scheme is not just a &quot;bitcommitment &quot; scheme. We also observe that 1outofn oblivious transfer is easily handled in the same model, using a simple OT protocol due to Bennett et al.[2].
On SimulationSound Trapdoor Commitments
 In proceedings of EUROCRYPT ’04, LNCS series
, 2003
"... We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct ..."
Abstract

Cited by 40 (2 self)
 Add to MetaCart
We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any oneway functions, and how to construct very efficient SSTC schemes based on specific numbertheoretic assumptions. We also show how to construct simulationsound, nonmalleable, and universallycomposable zeroknowledge protocols using SSTC schemes, yielding, for instance, the most efficient universallycomposable zeroknowledge protocols known. Finally, we explore the relation between SSTC schemes and nonmalleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are nonmalleable.
The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance
"... As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intellige ..."
Abstract

Cited by 37 (5 self)
 Add to MetaCart
(Show Context)
As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through workplace tasks. In this paper, we show how to provide strong integrity and confidentiality assurances for data provenance information. We describe our provenanceaware system prototype that implements provenance tracking of data writes at the application layer, which makes it extremely easy to deploy. We present empirical results that show that, for typical reallife workloads, the runtime overhead of our approach to recording provenance with confidentiality and integrity guarantees ranges from 1 % – 13%. 1