Results 1  10
of
48
Provable Data Possession at Untrusted Stores
, 2007
"... We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the serv ..."
Abstract

Cited by 302 (9 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that allows a client that has stored data at an untrusted server to verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking supports large data sets in widelydistributed storage systems. We present two provablysecure PDP schemes that are more efficient than previous solutions, even when compared with schemes that achieve weaker guarantees. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation.
Delegation of computation without rejection problem from designated verifier CSproofs
, 2011
"... We present a designated verifier CS proof system for polynomial time computations. The proof system can only be verified by a designated verifier: one who has published a publickey for which it knows a matching secret key unknown to the prover. Whereas Micali’s CS proofs require the existence of ra ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
We present a designated verifier CS proof system for polynomial time computations. The proof system can only be verified by a designated verifier: one who has published a publickey for which it knows a matching secret key unknown to the prover. Whereas Micali’s CS proofs require the existence of random oracles, we can base soundness on computational assumptions: the existence of leveled fully homomorphic encryption (FHE) schemes, the DDH assumption and a new knowledge of exponent assumption. Using our designated verifier CS proof system, we construct two schemes for delegating (polynomialtime) computation. In such schemes, a delegator outsources the computation of a function F on input x to a polynomial time worker, who computes the output y = F (x) and proves to the delegator the correctness of the output. Let T be the complexity of computing F on inputs of length n = x  and let k be a security parameter. Our first scheme calls for an onetime offline stage where the delegator sends a message to the worker, and a noninteractive online stage where the worker sends the output together with a certificate of correctness to the prover per input x. The total computational
Remote Data Checking Using Provable Data Possession
, 2011
"... We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling ran ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
We introduce a model for provable data possession (PDP) that can be used for remote data checking: A client that has stored data at an untrusted server can verify that the server possesses the original data without retrieving it. The model generates probabilistic proofs of possession by sampling random sets of blocks from the server, which drastically reduces I/O costs. The client maintains a constant amount of metadata to verify the proof. The challenge/response protocol transmits a small, constant amount of data, which minimizes network communication. Thus, the PDP model for remote data checking is lightweight and supports large data sets in distributed storage systems. The model is also robust in that it incorporates mechanisms for mitigating arbitrary amounts of data corruption. We present two provablysecure PDP schemes that are more efficient than previous solutions. In particular, the overhead at the server is low (or even constant), as opposed to linear in the size of the data. We then propose a generic transformation that adds robustness to any remote data checking scheme based on spot checking. Experiments using our implementation verify the practicality of PDP and reveal that the performance of PDP is bounded by disk I/O and not by cryptographic computation. Finally, we conduct an indepth experimental evaluation to study the tradeoffs in performance, security, and space overheads when
Salvaging MerkleDamg˚ard for Practical Applications
, 2009
"... Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) MerkleDamg˚ard transform applied to a corresponding compression function. Moreover, it is well known tha ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
Many cryptographic applications of hash functions are analyzed in the random oracle model. Unfortunately, most concrete hash functions, including the SHA family, use the iterative (strengthened) MerkleDamg˚ard transform applied to a corresponding compression function. Moreover, it is well known that the resulting “structured ” hash function cannot be generically used as a random oracle, even if the compression function is assumed to be ideal. This leaves a large disconnect between theory and practice: although no attack is known for many concrete applications utilizing existing (MerkleDamg˚ard based) hash functions, there is no security guarantee either, even by idealizing the compression function. Motivated by this question, we initiate a rigorous and modular study of developing new notions of (still idealized) hash functions which would be (a) natural and elegant; (b) sufficient for arguing security of important applications; and (c) provably met by the (strengthened) MerkleDamg˚ard transform, applied to a “strong enough ” compression function. In particular, we show that a fixedlength compressing random oracle, as well as the currently used DaviesMeyer compression function (the latter analyzed in the ideal cipher model) are “strong enough ” for the two specific weakenings of the random oracle that we develop. These weaker notions, described below, are quite natural and should be interesting in their own right: • Preimage Aware Functions. Roughly, if an attacker found a “later useful ” output y of the function, then it must
On the security of the tor authentication protocol
 In Proceedings of the Sixth Workshop on Privacy Enhancing Technologies (PET 2006
, 2006
"... Abstract. Tor is a popular anonymous Internet communication system, used by an estimated 250,000 users to anonymously exchange over five terabytes of data per day. The security of Tor depends on properly authenticating nodes to clients, but Tor uses a custom protocol, rather than an established one, ..."
Abstract

Cited by 25 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Tor is a popular anonymous Internet communication system, used by an estimated 250,000 users to anonymously exchange over five terabytes of data per day. The security of Tor depends on properly authenticating nodes to clients, but Tor uses a custom protocol, rather than an established one, to perform this authentication. In this paper, we provide a formal proof of security of this protocol, in the random oracle model, under reasonable cryptographic assumptions. 1
Targeted malleability: Homomorphic encryption for restricted computations
, 2011
"... We put forward the notion of targeted malleability: given a homomorphic encryption scheme, in various scenarios we would like to restrict the homomorphic computations one can perform on encrypted data. We introduce a precise framework, generalizing the foundational notion of nonmalleability introdu ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
We put forward the notion of targeted malleability: given a homomorphic encryption scheme, in various scenarios we would like to restrict the homomorphic computations one can perform on encrypted data. We introduce a precise framework, generalizing the foundational notion of nonmalleability introduced by Dolev, Dwork, and Naor (SICOMP ’00), ensuring that the malleability of a scheme is targeted only at a specific set of “allowable ” functions. In this setting we are mainly interested in the efficiency of such schemes as a function of the number of repeated homomorphic operations. Whereas constructing a scheme whose ciphertext grows linearly with the number of such operations is straightforward, obtaining more realistic (or merely nontrivial) length guarantees is significantly more challenging. We present two constructions that transform any homomorphic encryption scheme into one that offers targeted malleability. Our constructions rely on standard cryptographic tools and on succinct noninteractive arguments, which are currently known to exist in the standard model based on variants of the knowledgeofexponent assumption. The two constructions offer somewhat different efficiency guarantees, each of which may be preferable depending on the underlying building blocks. Keywords: Homomorphic encryption, Nonmalleable encryption.
Instantiability of rsaoaep under chosenplaintext attack
 In CRYPTO
, 2010
"... We show that the widely deployed RSAOAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash(i.e., round)functions aremodeledasrandomoracles,meets indistinguishabilityunderchosenplaintext attack (INDCPA) in the s ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
We show that the widely deployed RSAOAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash(i.e., round)functions aremodeledasrandomoracles,meets indistinguishabilityunderchosenplaintext attack (INDCPA) in the standard model based on simple, noninteractive, and noninterdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called “paddingbased ” encryption, saying that such a scheme is INDCPA if (1) its underlying padding transform satisfies a “fooling ” condition against smallrange distinguishers on a class of highentropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satifies condition (1) if its hash function is twise independent for appopriate t and that RSA satisfies condition (2) under the ΦHiding Assumption of Cachin et al. (Eurocrypt 1999). This appears to be the first nontrivial positive result about the instantiability ofRSAOAEP. In particular, it increases our confidence that chosenplaintext attacks are unlikely to be found against the scheme. In contrast, RSAOAEP’s predecessor in PKCS #1 v1.5 was shown to be vulnerable
Constantround concurrent zero knowledge from falsifiable assumptions
, 2012
"... We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly s ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali’s noninteractive CSproofs are sound for languages in P.
Deniable Authentication and Key Exchange
 Proceedings of the 13th ACM conference on Computer and communications security. 400–409
, 2006
"... Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable keyexchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchan ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable keyexchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchange (IKE) protocol. The two protocols require distinct approaches to their deniability analysis, hence highlighting important definitional issues as well as necessitating different tools in the analysis. SKEME is an encryptionbased protocol for which we prove full deniability based on the plaintext awareness of the underlying encryption scheme. Interestingly SKEME’s deniability is possibly the first “natural ” application which essentially requires plaintext awareness (until now this notion has been mainly used as a tool for proving chosenciphertext security); in particular this use of plaintext awareness is not tied to the random oracle model. SIGMA, on the other hand, uses nonrepudiable signatures for authentication and hence cannot be proven to be fully deniable. Yet we are able to prove a weaker, but meaningful, “partial deniability ” property: a party may not be able to deny that it was “alive ” at some point in time but can fully deny the contents of its communications and the identity of its interlocutors. We remark that the deniability of SKEME and SIGMA holds in a concurrent setting and does not essentially rely on the random oracle model.
The CramerShoup Encryption Scheme Is Plaintext Aware in the Standard Model
 In EUROCRYPT ’06: Annual International Conference on Advances in Cryptology
, 2006
"... Abstract. In this paper we examine the notion of plaintext awareness as it applies to hybrid encryption schemes. We apply this theory to the CramerShoup hybrid scheme acting on fixed length messages and deduce that the CramerShoup scheme is plaintextaware in the standard model. This answers a pre ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we examine the notion of plaintext awareness as it applies to hybrid encryption schemes. We apply this theory to the CramerShoup hybrid scheme acting on fixed length messages and deduce that the CramerShoup scheme is plaintextaware in the standard model. This answers a previously open conjecture of Bellare and Palacio on the existence of fully plaintextaware encryption schemes. 1