Results 1  10
of
216
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 490 (21 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Replication Is Not Needed: Single Database, ComputationallyPrivate Information Retrieval (Extended Abstract)
 IN PROC. OF THE 38TH ANNU. IEEE SYMP. ON FOUNDATIONS OF COMPUTER SCIENCE
, 1997
"... We establish the following, quite unexpected, result: replication of data for the computational Private Information Retrieval problem is not necessary. More specifically, based on the quadratic residuosity assumption, we present a single database, computationallyprivate informationretrieval scheme ..."
Abstract

Cited by 273 (18 self)
 Add to MetaCart
We establish the following, quite unexpected, result: replication of data for the computational Private Information Retrieval problem is not necessary. More specifically, based on the quadratic residuosity assumption, we present a single database, computationallyprivate informationretrieval scheme with O(n ffl ) communication complexity for any ffl ? 0.
Computationally private information retrieval with polylogarithmic communication
 Advances in Cryptology—EUROCRYPT ’99
, 1999
"... We present a singledatabase computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the ΦHiding Assumption (ΦHA): essentially the difficulty of deciding whether a ..."
Abstract

Cited by 259 (3 self)
 Add to MetaCart
(Show Context)
We present a singledatabase computationally private information retrieval scheme with polylogarithmic communication complexity. Our construction is based on a new, but reasonable intractability assumption, which we call the ΦHiding Assumption (ΦHA): essentially the difficulty of deciding whether a small prime> 2 divides ϕ(m), where m is a composite integer of unknown factorization. Our result also implies the existence of tworound CS proof systems under a concrete complexity assumption. Keywords: Integer factorization, Euler’s function, Φhiding assumption, private information retrieval, computationally sound proofs.
Witness indistinguishable and witness hiding protocols
 in 22nd STOC
, 1990
"... A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding ..."
Abstract

Cited by 184 (0 self)
 Add to MetaCart
A two party protocol in which party A uses one of several secret witnesses to an NP assertion is witness indistinguishable if party B cannot tell which witness A is actually using. The protocol is witness hiding
Concurrent ZeroKnowledge
 IN 30TH STOC
, 1999
"... Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two proces ..."
Abstract

Cited by 177 (18 self)
 Add to MetaCart
Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will finish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist fourround almost concurrent zeroknowledge interactive proofs and perfect concurrent zeroknowledge arguments for every language in NP . We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model.
How to Construct ConstantRound ZeroKnowledge Proof Systems for NP
 Journal of Cryptology
, 1995
"... Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for ..."
Abstract

Cited by 169 (8 self)
 Add to MetaCart
Constantround zeroknowledge proof systems for every language in NP are presented, assuming the existence of a collection of clawfree functions. In particular, it follows that such proof systems exist assuming the intractability of either the Discrete Logarithm Problem or the Factoring Problem for Blum Integers.
Conjunctive, subset, and range queries on encrypted data
, 2007
"... We construct publickey systems that support comparison queries (x ≥ a) on encrypted data as well as more general queries such as subset queries (x ∈ S). Furthermore, these systems support arbitrary conjunctive queries (P1 ∧ · · · ∧ Pℓ) without leaking information on individual conjuncts. We p ..."
Abstract

Cited by 169 (20 self)
 Add to MetaCart
We construct publickey systems that support comparison queries (x ≥ a) on encrypted data as well as more general queries such as subset queries (x ∈ S). Furthermore, these systems support arbitrary conjunctive queries (P1 ∧ · · · ∧ Pℓ) without leaking information on individual conjuncts. We present a general framework for constructing and analyzing publickey systems supporting queries on encrypted data.
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 155 (34 self)
 Add to MetaCart
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
CoercionResistant Electronic Elections
 In WPES ’05
, 2002
"... We introduce a model for electronic election schemes that involves a more powerful adversary than in previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme ..."
Abstract

Cited by 148 (0 self)
 Add to MetaCart
We introduce a model for electronic election schemes that involves a more powerful adversary than in previous work. In particular, we allow the adversary to demand of coerced voters that they vote in a particular manner, abstain from voting, or even disclose their secret keys. We define a scheme to be coercion resistant if it is impossible for the adversary to determine whether a coerced voter complies with the demands. Furthermore, we relax the requirements made in some previous proposals from an untappable channel to only requiring the existence of an anonymous channel.