Results 1  10
of
1,401
IdentityBased Encryption from the Weil Pairing
, 2001
"... We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic ..."
Abstract

Cited by 1699 (29 self)
 Add to MetaCart
(Show Context)
We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
, 1995
"... We argue that the random oracle model  where all parties have access to a public random oracle  provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the ..."
Abstract

Cited by 1643 (75 self)
 Add to MetaCart
We argue that the random oracle model  where all parties have access to a public random oracle  provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the random oracle model, and then replacing oracle accesses by the computation of an "appropriately chosen" function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zeroknowledge proofs.
The knowledge complexity of interactive proof systems
 in Proc. 27th Annual Symposium on Foundations of Computer Science
, 1985
"... Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltoni ..."
Abstract

Cited by 1267 (42 self)
 Add to MetaCart
Abstract. Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/nonHamiltonian. In this paper a computational complexity theory of the "knowledge " contained in a proof is developed. Zeroknowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zeroknowledge proof systems are given for the languages of quadratic residuosity and quadratic nonresiduosity. These are the first examples of zeroknowledge proofs for languages not known to be efficiently recognizable. Key words, cryptography, zero knowledge, interactive proofs, quadratic residues AMS(MOS) subject classifications. 68Q15, 94A60 1. Introduction. It is often regarded that saying a language L is in NP (that is, acceptable in nondeterministic polynomial time) is equivalent to saying that there is a polynomial time "proof system " for L. The proof system we have in mind is one where on input x, a "prover " creates a string a, and the "verifier " then computes on x and a in time polynomial in the length of the binary representation of x to check that
SPINS: Security Protocols for Sensor Networks
, 2001
"... As sensor networks edge closer towards widespread deployment, security issues become a central concern. So far, the main research focus has been on making sensor networks feasible and useful, and less emphasis was placed on security. We design a suite of security building blocks that are optimized ..."
Abstract

Cited by 1049 (31 self)
 Add to MetaCart
As sensor networks edge closer towards widespread deployment, security issues become a central concern. So far, the main research focus has been on making sensor networks feasible and useful, and less emphasis was placed on security. We design a suite of security building blocks that are optimized for resourceconstrained environments and wireless communication. SPINS has two secure building blocks: SNEP and TESLA. SNEP provides the following important baseline security primitives: Data con£dentiality, twoparty data authentication, and data freshness. A particularly hard problem is to provide efficient broadcast authentication, which is an important mechanism for sensor networks. TESLA is a new protocol which provides authenticated broadcast for severely resourceconstrained environments. We implemented the above protocols, and show that they are practical even on minimalistic hardware: The performance of the protocol suite easily matches the data rate of our network. Additionally, we demonstrate that the suite can be used for building higher level protocols.
Publickey cryptosystems based on composite degree residuosity classes
 IN ADVANCES IN CRYPTOLOGY — EUROCRYPT 1999
, 1999
"... This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to publickey cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilist ..."
Abstract

Cited by 991 (4 self)
 Add to MetaCart
This paper investigates a novel computational problem, namely the Composite Residuosity Class Problem, and its applications to publickey cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes: a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
, 1995
"... We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a ..."
Abstract

Cited by 985 (43 self)
 Add to MetaCart
We present a digital signature scheme based on the computational diculty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosenmessage attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) can not later forge the signature of even a single additional message. This may be somewhat surprising, since the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosenmessage attack were considered in the folklore to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "clawfree" pair of permutations  a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.
PseudoRandom Generation from OneWay Functions
 PROC. 20TH STOC
, 1988
"... Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show howto construct a pseudorandom generator from any oneway function. Since it is easy to construct a oneway function from a pseudorandom generator, this result shows that there is a pseudorandom gene ..."
Abstract

Cited by 887 (22 self)
 Add to MetaCart
Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show howto construct a pseudorandom generator from any oneway function. Since it is easy to construct a oneway function from a pseudorandom generator, this result shows that there is a pseudorandom generator iff there is a oneway function.
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 842 (43 self)
 Add to MetaCart
(Show Context)
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Calibrating noise to sensitivity in private data analysis
 In Proceedings of the 3rd Theory of Cryptography Conference
, 2006
"... Abstract. We continue a line of research initiated in [10, 11] on privacypreserving statistical databases. Consider a trusted server that holds a database of sensitive information. Given a query function f mapping databases to reals, the socalled true answer is the result of applying f to the datab ..."
Abstract

Cited by 630 (57 self)
 Add to MetaCart
Abstract. We continue a line of research initiated in [10, 11] on privacypreserving statistical databases. Consider a trusted server that holds a database of sensitive information. Given a query function f mapping databases to reals, the socalled true answer is the result of applying f to the database. To protect privacy, the true answer is perturbed by the addition of random noise generated according to a carefully chosen distribution, and this response, the true answer plus noise, is returned to the user. Previous work focused on the case of noisy sums, in which f =P i g(xi), where xi denotes the ith row of the database and g maps database rows to [0, 1]. We extend the study to general functions f, proving that privacy can be preserved by calibrating the standard deviation of the noise according to the sensitivity of the function f. Roughly speaking, this is the amount that any single argument to f can change its output. The new analysis shows that for several particular applications substantially less noise is needed than was previously understood to be the case. The first step is a very clean characterization of privacy in terms of indistinguishability of transcripts. Additionally, we obtain separation results showing the increased value of interactive sanitization mechanisms over noninteractive. 1 Introduction We continue a line of research initiated in [10, 11] on privacy in statistical databases. A statistic is a quantity computed from a sample. Intuitively, if the database is a representative sample of an underlying population, the goal ofa privacypreserving statistical database is to enable the user to learn properties of the population as a whole while protecting the privacy of the individualcontributors.