#### DMCA

## Efficient Cryptographic Protocols Preventing “Man-in-the-Middle” Attacks (2002)

Venue: | COLUMBIA UNIVERSITY |

Citations: | 15 - 2 self |

### Citations

3539 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ... ϕ(N) and for all r ∈ Z ∗ N , the value r1/e can be computed efficiently. Thus, the RSA assumption is at least as strong as the assumption that factoring is hard. Discrete-logarithm-based assumptions =-=[42]-=-. Assume a finite, cyclic group G such that the order of G is prime (this condition is not essential for the assumptions below, yet all G used in this work have this property). For any elements g, h ∈... |

3332 | Handbook of applied cryptography - MENEZES, OORSCHOT, et al. |

1644 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols - Bellare, Rogaway - 1993 |

1390 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...versaries has become, by now, well-studied and well-understood. A salient example is encryption, for which definitions and secure constructions have been given by, among others, Goldwasser and Micali =-=[69]-=- and Blum and Goldwasser [21] (see [62] for more details). The security desired from an encryption scheme against a passive eavesdropper is intuitive, even if developing a formal definition is more di... |

1383 | A.: On the Security of Public-Key Protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...mpts to deal with such attacks focused on the security of ping-pong protocols (in which the output of a party is a simple function of the current input) against adversarial man-in-the-middle behavior =-=[46, 45, 119, 52]-=-. Although a formal approach is taken, certain limitations of this approach are apparent. First is that the class of ping-pong protocols is very limited; in particular, it does not include protocols w... |

1246 | The knowledge complexity of interactive proof-systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...and achieves only statistical secrecy. 85sChapter 5 Non-Malleable and Concurrent (Interactive) Proofs of Knowledge 5.1 Introduction A proof of knowledge, introduced by Goldwasser, Micali, and Rackoff =-=[70]-=-, represents a formalization of the deceptively simple notion of “proving that you know something” to someone else. More formally, consider an arbitrary relation R which is computable in polynomial ti... |

1027 | A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ... chosen-ciphertext-secure public-key encryption [99, 105], (2) password-based authenticated key exchange in the public-key model [76, 22], (3) deniable authentication [44, 49], and (4) identification =-=[56]-=-. In many cases, our work provides the first efficient solutions to these problems based on factoring or other number-theoretic assumptions. These results are described in Chapter 5. Chapter 2 contain... |

1009 | Public-key cryptosystems based on composite degree residuosity classes - Paillier |

959 | A Digital signature scheme secure against adaptive chosen-message attacks,
- Goldwasser, Micali
- 1998
(Show Context)
Citation Context ...ructions are known, and a secure mac may be based on any one-way function [63, 77]. Signatures. A formal definition of security for signature schemes was first given by Goldwasser, Micali, and Rivest =-=[71]-=-. Here, a signer publishes a (public) verification key V K and keeps secret a signing key SK. A signing algorithm, which takes as additional input a signing key SK, associates a signature with every v... |

861 | Construction of a pseudo-random generator from any one-way function
- Hastad, Impagliazzo, et al.
(Show Context)
Citation Context ... achieve much shorter commitment lengths. 4.1.1 Previous Work The commitment primitive has been extensively studied. Standard commitment has been shown to exist if and only if one-way functions exist =-=[96, 77]-=-. A perfect commitment scheme has been constructed assuming the existence of one-way permutations [97]. Both schemes have been designed in the interactive model (where no public information is availab... |

833 | Universally composable security: A new paradigm for cryptographic protocols.
- Canetti
- 2001
(Show Context)
Citation Context ...orrupted (although in Chapter 3 a limited form of corruption is considered). 2 Recently, a model capturing aspects of both the previous models and the model outlined here has been proposed by Canetti =-=[27]-=-. Canetti has shown [27] that protocols secure in this model enjoy very strong composability properties; in particular, protocols secure in this model are secure against many types of man-in-the-middl... |

636 |
How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. In
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...itment protocols have become one of the most fundamental cryptographic primitives, and are used as sub-protocols in such applications as zero-knowledge proofs [67, 62], secure multi-party computation =-=[66]-=-, and many others. Commitment protocols can also be used directly, for example, in remote (electronic) bidding. In this setting, parties bid by committing to a value; once bidding is complete, parties... |

578 | Entity authentication and key distribution.
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...nts of C remain hidden from the adversary even after interaction with the decryption oracle. Oracle-based models have also been proposed for analyzing key exchange and mutual authentication protocols =-=[13, 15, 11]-=-. In some cases, an oracle-based definition of security has been proven equivalent to a simulationbased definition [114] or to non-malleability [6, 16]. In these cases, it is often significantly easie... |

539 | A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. CRYPTO
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...]. The above constructions are all based on general assumptions and are therefore highly impractical. Only one efficient and provably-secure construction of a non-malleable encryption scheme is known =-=[36]-=-. 6 An efficient (interactive) non-malleable commitment scheme has been given [58]. In the random oracle model, many efficient chosen-ciphertext-secure encryption schemes are known; e.g., [12, 14]. Re... |

516 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...ion, the adversary may be given access to a decryption oracle which takes as input any ciphertext C and returns the underlying plaintext. We can then define a new type of secure encryption as follows =-=[99, 105, 6]-=- (see also Definition 2.5): First, the adversary receives ciphertext C. Then, the adversary may interact with the decryption oracle, obtaining the plaintext corresponding to any ciphertext(s) C ′ of t... |

479 | Non-malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...assively monitoring the communication network. Unfortunately, adversaries (who don’t often play by the rules) may not restrict themselves to being passive! In fact, it is quite reasonable to consider =-=[99, 105, 44]-=- an active adversary — a “man-in-the-middle” — who modifies the data as it is transmitted from sender to receiver. Attacks of this type raise a host of new questions; for example: What kind of securit... |

463 | Security and composition of multiparty cryptographic protocols.
- Canetti
- 2000
(Show Context)
Citation Context ...he adversary appears in Section 2.2. This adversarial model considered here is distinct from (and incomparable with) other models which have been proposed for security in a multi-party setting (e.g., =-=[66, 95, 61, 26]-=-). In particular, other models typically assume authenticated channels (so that the identity of the sender of a message is unambiguous) and guaranteed delivery of messages; neither condition is assume... |

440 | A hard-core predicate for all one-way functions.
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...Goldwasser [21]. The public key N is chosen as a product of two random k/2-bit primes (where k is the security parameter), and e is a prime number such that |e| = O(k). 4 Let hc(·) be a hard-core bit =-=[64]-=- for the RSA permutation (so that, given r e , hc(r) is computationally indistinguishable from random; note that hc(·) may depend on information included with the public parameters), and define hc ∗ (... |

439 |
A certified digital signature
- Merkle
- 1990
(Show Context)
Citation Context ...s work refers to security in the sense of the definition above. Secure signature schemes may be constructed from any one-way function [98, 108]. A weaker notion is that of a one-time signature scheme =-=[87, 94]-=-, in which the adversary is allowed to request only one signature from the Sign oracle before attempting a forgery. Although secure signature schemes and one-time signature schemes may both be constru... |

436 | Encrypted Key Exchange: Password-based protocols secure against dictionary attacks.
- Bellovin, Merritt
- 1992
(Show Context)
Citation Context ... protocols to the multi-user setting have also appeared [22]. A protocol for password-only (i.e., where no PKI is assumed) authentication and key exchange was first introduced by Bellovin and Merritt =-=[17]-=-, and many additional protocols have subsequently been proposed [73, 115, 79, 80, 89, 117]. These protocols have only informal arguments for their security; in fact, some of these protocols were later... |

427 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems.
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...ata will remain hidden indefinitely. Commitment protocols have become one of the most fundamental cryptographic primitives, and are used as sub-protocols in such applications as zero-knowledge proofs =-=[67, 62]-=-, secure multi-party computation [66], and many others. Commitment protocols can also be used directly, for example, in remote (electronic) bidding. In this setting, parties bid by committing to a val... |

421 | A concrete security treatment of symmetric encryption,” - Bellare, Desai, et al. - 1997 |

402 | Authenticated Key Exchange Secure against Dictionary Attacks,
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ...e over a network completely controlled by an adversary. Here, the password shared by two parties is explicitly modeled as a weak, human-memorizable secret which may be easily guessed by the adversary =-=[11, 24]-=-. Due to the inherent weakness of the password, a secure protocol must ensure (among other things) that an adversary can not determine the password — and hence 1 In the random oracle model, all partic... |

401 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...nctions with polynomial preimage-size [9]; in particular, public-key cryptosystems exist based on the hardness of factoring [104] and RSA [107] assumptions. Security of the El-Gamal encryption scheme =-=[51]-=- is based on the DDH assumption. CCA2 public-key encryption schemes may be based on trapdoor permutations [44]; an efficient construction based on the DDH assumption is also known [36]. Semantic secur... |

363 |
A.: Zero knowledge proofs of identity
- Fiege, Fiat, et al.
- 1987
(Show Context)
Citation Context ...e can try to construct other interactive protocols for accomplishing this task, but without a precise definition it is unclear how to proceed. Indeed, defining the notion correctly has been difficult =-=[70, 54, 116]-=-. The effort to obtain the “right” definition culminated in the work of Bellare and Goldreich [8] which contains the nowstandard definitional approach. Informally, and omitting many details, the defin... |

362 |
Digitalized signatures and public key functions as intractable as factoring
- Rabin
- 1979
(Show Context)
Citation Context ...s to be appropriately modified. For example, N is a Blum integer if N = pq with p, q prime and p, q = 3 mod 4; it is widely believed that factoring Blum integers is intractable. A result due to Rabin =-=[104]-=- shows that the hardness of inverting the squaring function, defined by f(x) = x 2 mod N, is equivalent to the hardness of factoring. A similar result holds for the function fi(x) = x2i mod N (for fix... |

350 | Universal One-Way Hash Functions and their Cryptographic Applications. 21st STOC
- Naor, Yung
- 1989
(Show Context)
Citation Context ...hm A = (A1, A2), the following is negligible (in k): Pr[(x, s) ← A1(1 k ); h ← Hk; x ′ ← A2(1 k , s, h) : x �= x ′ ∧ h(x) = h(x ′ )]. Universal one-way hash functions were introduced by Naor and Yung =-=[98]-=-, who provide a construction based on any one-way permutation. Subsequently, it was shown that one-way functions are sufficient for the construction of universal one-way hash functions [108]. Note tha... |

330 | Analysis of key-exchange protocols and their use for building secure channels,”
- Canetti, Krawczyk
- 2001
(Show Context)
Citation Context ...me task. Depending on the precise definition, simulatability may guarantee (some form of) non-malleability. As an example, this approach has been used to define the security of key-exchange protocols =-=[4, 114, 24, 30]-=- against man-in-the-middle attacks. Using this methodology, an ideal model is defined in which the desired task is carried out. For the case of key exchange, this idealized model might include a speci... |

310 | Authentication and authenticated key exchanges. - Diffie, Oorschot, et al. - 1992 |

292 | The random oracle methodology revisited”,
- Canetti, Goldreich, et al.
- 2004
(Show Context)
Citation Context ... is instantiated with a cryptographic hash function. However, there are protocols which are secure in the random oracle model but are known to be insecure when instantiated with any concrete function =-=[29]-=-. 2 “Man-in-the-middle attack” is a broad term for any attack in which communication between honest parties may be corrupted by an adversary. In this work we include precise definitions of security ag... |

284 | Public-key cryptosystems provably secure against chosen ciphertext attacks.
- Naor, Yung
- 1990
(Show Context)
Citation Context ...assively monitoring the communication network. Unfortunately, adversaries (who don’t often play by the rules) may not restrict themselves to being passive! In fact, it is quite reasonable to consider =-=[99, 105, 44]-=- an active adversary — a “man-in-the-middle” — who modifies the data as it is transmitted from sender to receiver. Attacks of this type raise a host of new questions; for example: What kind of securit... |

275 | Optimal asymmetric encryption,”
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...in [110, 38]. These constructions, however, are based on general assumptions and are therefore impractical. Efficient non-malleable encryption schemes are known in the random oracle model (e.g., OAEP =-=[14]-=-); we work in the standard model only. Prior to this work, the only efficient non-malleable encryption scheme in the standard model was [36], whose security is based on the DDH assumption. Subsequent ... |

275 | Bit commitment using pseudorandomness.
- Naor
- 1991
(Show Context)
Citation Context ...sword-only authenticated key exchange in this setting. A preliminary version of this work has appeared previously [83]. • In Chapter 4, we consider the important cryptographic primitive of commitment =-=[96]-=-. There, we describe the first efficient and non-malleable protocols for non-interactive, perfect commitment. The security of our schemes may be based on either the RSA assumption or the discrete loga... |

245 | A modular approach to the design and analysis of authentication and key exchange protocols,”
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ...me task. Depending on the precise definition, simulatability may guarantee (some form of) non-malleability. As an example, this approach has been used to define the security of key-exchange protocols =-=[4, 114, 24, 30]-=- against man-in-the-middle attacks. Using this methodology, an ideal model is defined in which the desired task is carried out. For the case of key exchange, this idealized model might include a speci... |

240 | The Security of the Cipher Block Chaining Message Authentication Code”,
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...rfy sk (m, T) = 1. A mac is secure if an adversary is unable to forge a valid message/tag pair. Yet we need to specify the class of adversary we consider (i.e., the type of attack allowed). Following =-=[10]-=-, we consider the strongest type of attack: the adversary may interact — adaptively and polynomially-many times — with an oracle macsk(·) that returns the correct tag for any message submitted by the ... |

223 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory, See Gunther
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...de range of applications. They are crucial for secure two-party and multi-party computation [66], and have also been used to build interactive commitment protocols [44, 59] and identification schemes =-=[56, 74, 111]-=-. They may also be used to construct encryption 87sP (input x) M V r ← Zq y := g x ; A := g r z := cx + r ✛ y, A ✲ c z ✲ r ′ ← Zq y ′ := yg r′ z ′ := z + cr ′ ✛ y ′ , A ✲ c z ′ ✲ c ← Zq Figure 5.2: Ma... |

214 | Non Interactive Zero Knowledge.
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context ... length. A preliminary version of this work has appeared previously [41]. • We next consider the case of interactive proofs of knowledge. Extending previous definitions in the non-interactive setting =-=[44, 110, 38]-=-, we formally define the notion of a non-malleable, interactive proof of plaintext knowledge (PPK). We then give efficient constructions of nonmalleable PPKs (for a number of standard cryptosystems) w... |

190 | Strong Password-Only Authenticated Key Exchange.
- Jablon
- 1996
(Show Context)
Citation Context ...ocol for password-only (i.e., where no PKI is assumed) authentication and key exchange was first introduced by Bellovin and Merritt [17], and many additional protocols have subsequently been proposed =-=[73, 115, 79, 80, 89, 117]-=-. These protocols have only informal arguments for their security; in fact, some of these protocols were later broken [102] indicating the need for proofs of security in a well-defined model. Formal m... |

189 | Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption.
- Cramer, Shoup
- 2002
(Show Context)
Citation Context ... Prior to this work, the only efficient non-malleable encryption scheme in the standard model was [36], whose security is based on the DDH assumption. Subsequent to the present work, Cramer and Shoup =-=[37]-=- have proposed non-malleable encryption schemes based on alternate assumptions; yet, it is important to note that 5 Unless stated otherwise, “encryption” refers to non-interactive encryption. 111sthe ... |

182 |
Provably secure and practical identification schemes and corresponding signature schemes.
- Okamoto
- 1992
(Show Context)
Citation Context ...; the former, however, may be adapted to run in the public-parameters model (cf. Section 2.1.1). Efficient perfect commitment protocols, based on specific number-theoretic assumptions, are also known =-=[103, 100]-=-. Non-malleability of commitments was first explicitly considered by Dolev, Dwork, and Naor [44]. They also provided the first construction of a standard commitment scheme which is provably non-mallea... |

173 | Concurrent Zero-Knowledge.
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...cations of these protocols to (1) chosen-ciphertext-secure public-key encryption [99, 105], (2) password-based authenticated key exchange in the public-key model [76, 22], (3) deniable authentication =-=[44, 49]-=-, and (4) identification [56]. In many cases, our work provides the first efficient solutions to these problems based on factoring or other number-theoretic assumptions. These results are described in... |

170 | Universally Composable Commitments
- Canetti, Fischlin
(Show Context)
Citation Context ...ork is that protocols simulatable under the given definition are automatically secure against (certain classes of) man-in-the-middle attacks. Yet, it is difficult 12s(and in certain cases, impossible =-=[28]-=-) to design secure protocols in this model without additional assumptions. Furthermore, for specific tasks (i.e., key exchange) it is often beneficial to design a model with that task specifically in ... |

166 | Multiparty computation from threshold homomorphic encryption.
- Cramer, Damgård, et al.
- 2001
(Show Context)
Citation Context ...·); the PPK given below can be modified for this case in a straightforward way. In either case, the security of the PPK itself depends on the weaker computational assumption. We build on a Σ-protocol =-=[34]-=- that, given C, proves knowledge of m, y such that C = g m y N mod N 2 . The basic Σ-protocol proceeds as follows: the prover chooses random x ∈ ZN, u ∈ Z ∗ N 2 and sends B = g x u N mod N 2 as the fi... |

162 | On defining proofs of knowledge,”
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...ition it is unclear how to proceed. Indeed, defining the notion correctly has been difficult [70, 54, 116]. The effort to obtain the “right” definition culminated in the work of Bellare and Goldreich =-=[8]-=- which contains the nowstandard definitional approach. Informally, and omitting many details, the definition states that an interactive protocol Π constitutes a proof of knowledge if, for any Turing m... |

152 |
Non-Interactive Zero-Knowledge and Its Applications.
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...ity against man-in-the-middle attacks for all primitives we consider. 3sbreak the protocol — using an off-line dictionary attack. We work in a setting in which a common string is known to all parties =-=[20]-=- and users otherwise share only a weak password (in particular, a public-key infrastructure is not required), and give the first efficient and provablysecure protocol for password-only authenticated k... |

142 | How to prove a theorem so no one else can claim it.
- Blum
- 1987
(Show Context)
Citation Context ...of security must deal explicitly with copying instead of simply disallowing it. One may also consider the complementary notion in which proofs must remain uniquely identified with a particular prover =-=[19, 44, 82]-=-; in this case, even when an adversary copies a proof it should remain clear which party actually generated it. 5 As before, we need to explicitly rule out copying. Thus, the adversary is not allowed ... |

138 | Public-key cryptography and password protocols.
- Halevi, Krawczyk
- 1999
(Show Context)
Citation Context ...urrent fashion. Finally, we show applications of these protocols to (1) chosen-ciphertext-secure public-key encryption [99, 105], (2) password-based authenticated key exchange in the public-key model =-=[76, 22]-=-, (3) deniable authentication [44, 49], and (4) identification [56]. In many cases, our work provides the first efficient solutions to these problems based on factoring or other number-theoretic assum... |

136 |
Constructing Digital Signatures from One-Way Functions, SRI intl. CSL-98
- Lamport
- 1979
(Show Context)
Citation Context ...s work refers to security in the sense of the definition above. Secure signature schemes may be constructed from any one-way function [98, 108]. A weaker notion is that of a one-time signature scheme =-=[87, 94]-=-, in which the adversary is allowed to request only one signature from the Sign oracle before attempting a forgery. Although secure signature schemes and one-time signature schemes may both be constru... |

133 | Public-key encryption in a multi-user setting: Security proofs and improvements.
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ... (using the definition of success for experiments P ′ 0 and P1). The remainder of the proof relies on a random self-reducibility property of the DDH problem that has been observed and used previously =-=[114, 3]-=-. When the tuple (g, h, s, t) is a DH tuple, the distribution on the view of A throughout this experiment is equivalent to the distribution on the view of A during experiment P ′ 0. The public output ... |

131 |
An efficient probabilistic public-key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1985
(Show Context)
Citation Context ... well-studied and well-understood. A salient example is encryption, for which definitions and secure constructions have been given by, among others, Goldwasser and Micali [69] and Blum and Goldwasser =-=[21]-=- (see [62] for more details). The security desired from an encryption scheme against a passive eavesdropper is intuitive, even if developing a formal definition is more difficult: to prevent the adver... |

120 | Secure computation,
- Micali, Rogaway
- 1991
(Show Context)
Citation Context ...he adversary appears in Section 2.2. This adversarial model considered here is distinct from (and incomparable with) other models which have been proposed for security in a multi-party setting (e.g., =-=[66, 95, 61, 26]-=-). In particular, other models typically assume authenticated channels (so that the identity of the sender of a message is unambiguous) and guaranteed delivery of messages; neither condition is assume... |

114 | Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords.
- Katz, Ostrovsky, et al.
(Show Context)
Citation Context ...ure is not required), and give the first efficient and provablysecure protocol for password-only authenticated key exchange in this setting. A preliminary version of this work has appeared previously =-=[83]-=-. • In Chapter 4, we consider the important cryptographic primitive of commitment [96]. There, we describe the first efficient and non-malleable protocols for non-interactive, perfect commitment. The ... |

112 | Zero knowledge proofs of knowledge in two rounds. - Feige, Shamir - 1990 |

93 | Session-Key Generation using Human Passwords Only,”
- Goldreich, Lindell
- 2001
(Show Context)
Citation Context ...eraction with an encryption oracle must also be taken into account. Other areas for which a formal approach to man-in-the-middle attacks has been given include: key exchange and mutual authentication =-=[18, 13, 15, 4, 76, 114, 22, 11, 24, 23, 92, 30, 65]-=-, deniable authentication [49, 50, 48], identification [7], and designated-verifier proofs [81, 32]. 2.5 Notation and Preliminaries 2.5.1 Notation We adopt the now-standard notation of Goldwasser, Mic... |

82 | Secure multi-party computation.
- Goldreich
- 1998
(Show Context)
Citation Context ...he adversary appears in Section 2.2. This adversarial model considered here is distinct from (and incomparable with) other models which have been proposed for security in a multi-party setting (e.g., =-=[66, 95, 61, 26]-=-). In particular, other models typically assume authenticated channels (so that the identity of the sender of a message is unambiguous) and guaranteed delivery of messages; neither condition is assume... |

69 | Zero-knowledge proofs of knowledge without interaction (extended abstract - Santis, Persiano - 1992 |

68 | Complete characterization of security notions for probabilistic private-key encryption. In:
- Katz, Yung
- 1999
(Show Context)
Citation Context ...itions of security for public-key encryption (especially non-malleability vs. chosen-ciphertext security) are considered in [6, 16]. Similar relations have been established for private-key encryption =-=[84]-=-, where the adversary’s interaction with an encryption oracle must also be taken into account. Other areas for which a formal approach to man-in-the-middle attacks has been given include: key exchange... |

67 | Open key exchange: how to defeat dictionary attacks without encrypting public keys.
- Lucks
- 1997
(Show Context)
Citation Context ...ocol for password-only (i.e., where no PKI is assumed) authentication and key exchange was first introduced by Bellovin and Merritt [17], and many additional protocols have subsequently been proposed =-=[73, 115, 79, 80, 89, 117]-=-. These protocols have only informal arguments for their security; in fact, some of these protocols were later broken [102] indicating the need for proofs of security in a well-defined model. Formal m... |

65 | Non-interactive and non-malleable commitment.
- Crescenzo, Ishai, et al.
- 1998
(Show Context)
Citation Context ...ct improved nonmalleable encryption protocols, following the paradigm established in [99]. A revised definition of non-malleable commitment (appropriate for the case of perfect commitment) appears in =-=[40, 58]-=-. The first construction of a non-interactive, non-malleable commitment scheme is given in [40]. The above constructions are all based on general assumptions and are therefore highly impractical. Only... |

64 | On the security of multi-party ping–pong protocols
- Even, Goldreich
- 1983
(Show Context)
Citation Context ...mpts to deal with such attacks focused on the security of ping-pong protocols (in which the output of a party is a simple function of the current input) against adversarial man-in-the-middle behavior =-=[46, 45, 119, 52]-=-. Although a formal approach is taken, certain limitations of this approach are apparent. First is that the class of ping-pong protocols is very limited; in particular, it does not include protocols w... |

61 |
Modular Design of Secure yet Practical Cryptographic Protocols.
- Cramer
- 1997
(Show Context)
Citation Context ...sider the single-theorem case. The definitions may be modified for the multitheorem case; however, the present definitions suffice for our intended applications. Σ-protocols. Since we use Σ-protocols =-=[31]-=- in an essential way as part of our constructions, we briefly review their definition here. A Σ-protocol is a pair of ppt algorithms (P, V) which defines a three-move interactive protocol between a pr... |

60 | Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization.
- Bellare, Sahai
- 1999
(Show Context)
Citation Context ...ommitment scheme from the following components: first, we use a public-key encryption scheme (Gen, E, D) that is indistinguishable under an adaptive chosen-ciphertext attack (and hence non-malleable) =-=[44, 6, 16]-=-. Such a scheme can be based on any family of trapdoor permutations [44, 110, 38]. Next, we use a symmetric-key cryptosystem (K, E ∗ , D ∗ ) which is indistinguishable under adaptive chosen-ciphertext... |

60 | On the cryptographic applications of random functions - Goldreich, Goldwasser, et al. - 1985 |

56 |
On the Security of Ping-Pong Protocols
- Dolev, Even, et al.
- 1982
(Show Context)
Citation Context ...mpts to deal with such attacks focused on the security of ping-pong protocols (in which the output of a party is a simple function of the current input) against adversarial man-in-the-middle behavior =-=[46, 45, 119, 52]-=-. Although a formal approach is taken, certain limitations of this approach are apparent. First is that the class of ping-pong protocols is very limited; in particular, it does not include protocols w... |

55 | On-Line/O!-Line Digital Signatures.
- Even, Goldreich, et al.
- 1996
(Show Context)
Citation Context ...mpting a forgery. Although secure signature schemes and one-time signature schemes may both be constructed from one-way functions, known constructions of one-time signature schemes are more efficient =-=[53, 112]-=-. 22sChapter 3 Password-Authenticated Key Exchange 3.1 Introduction Protocols for mutual authentication of two parties and generation of a cryptographically-strong shared key between them (authenticat... |

52 | Password-authenticated key exchange based on RSA.
- MacKenzie, Patel, et al.
- 2000
(Show Context)
Citation Context ...eraction with an encryption oracle must also be taken into account. Other areas for which a formal approach to man-in-the-middle attacks has been given include: key exchange and mutual authentication =-=[18, 13, 15, 4, 76, 114, 22, 11, 24, 23, 92, 30, 65]-=-, deniable authentication [49, 50, 48], identification [7], and designated-verifier proofs [81, 32]. 2.5 Notation and Preliminaries 2.5.1 Notation We adopt the now-standard notation of Goldwasser, Mic... |

48 | Zaps and Their Applications.
- Dwork, Naor
- 2000
(Show Context)
Citation Context ...s for which a formal approach to man-in-the-middle attacks has been given include: key exchange and mutual authentication [18, 13, 15, 4, 76, 114, 22, 11, 24, 23, 92, 30, 65], deniable authentication =-=[49, 50, 48]-=-, identification [7], and designated-verifier proofs [81, 32]. 2.5 Notation and Preliminaries 2.5.1 Notation We adopt the now-standard notation of Goldwasser, Micali, and Rackoff [70]. The set of n-bi... |

48 | Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints
- Dwork, Sahai
- 1998
(Show Context)
Citation Context ...malicious verifier, can output a transcript which is indistinguishable from an interaction of the verifier with the actual prover. Constructions based on any non-malleable encryption scheme are known =-=[49, 50, 48]-=-. However, these protocols are not secure (in general) when a non-malleable interactive encryption scheme is used. For example, the non-malleable, interactive encryption scheme of [44] requires a sign... |

46 | Number theoretic attacks on secure password schemes.
- Patel
- 1997
(Show Context)
Citation Context ...ny additional protocols have subsequently been proposed [73, 115, 79, 80, 89, 117]. These protocols have only informal arguments for their security; in fact, some of these protocols were later broken =-=[102]-=- indicating the need for proofs of security in a well-defined model. Formal models of security for the password-only setting were given independently by Bellare, Pointcheval, and Rogaway [11] (buildin... |

44 | Constant-round perfect zeroknowledge computationally convincing protocols - Brassard, Crépeau, et al. - 1991 |

44 | Extended password key exchange protocols immune to dictionary attack,
- Jablon
- 1997
(Show Context)
Citation Context ...ocol for password-only (i.e., where no PKI is assumed) authentication and key exchange was first introduced by Bellovin and Merritt [17], and many additional protocols have subsequently been proposed =-=[73, 115, 79, 80, 89, 117]-=-. These protocols have only informal arguments for their security; in fact, some of these protocols were later broken [102] indicating the need for proofs of security in a well-defined model. Formal m... |

42 | Optimal authentication protocols resistant to password guessing attacks.
- Gong
- 1995
(Show Context)
Citation Context |

42 | Perfect zero-knowledge arguments for NP can be based on general complexity assumptions.
- Naor, Ostrovsky, et al.
- 1992
(Show Context)
Citation Context ...y studied. Standard commitment has been shown to exist if and only if one-way functions exist [96, 77]. A perfect commitment scheme has been constructed assuming the existence of one-way permutations =-=[97]-=-. Both schemes have been designed in the interactive model (where no public information is available to the parties); the former, however, may be adapted to run in the public-parameters model (cf. Sec... |

40 | Efficient non-malleable commitment schemes.
- Fischlin, Fischlin
- 2000
(Show Context)
Citation Context ...ct improved nonmalleable encryption protocols, following the paradigm established in [99]. A revised definition of non-malleable commitment (appropriate for the case of perfect commitment) appears in =-=[40, 58]-=-. The first construction of a non-interactive, non-malleable commitment scheme is given in [40]. The above constructions are all based on general assumptions and are therefore highly impractical. Only... |

39 | Efficient zero-knowledge proofs of knowledge without intractability assumptions - Cramer, Damgard, et al. - 2000 |

35 | Public-key cryptography and pass-word protocols: The multi-user case”,
- Boyarsky
- 1999
(Show Context)
Citation Context ...urrent fashion. Finally, we show applications of these protocols to (1) chosen-ciphertext-secure public-key encryption [99, 105], (2) password-based authenticated key exchange in the public-key model =-=[76, 22]-=-, (3) deniable authentication [44, 49], and (4) identification [56]. In many cases, our work provides the first efficient solutions to these problems based on factoring or other number-theoretic assum... |

31 | Limits on the Efficiency of One-Way Permutation-Based Hash Functions
- Kim, Simon, et al.
- 1999
(Show Context)
Citation Context ...s [108]. Note that any collision-resistant hash family is also universal one-way; however, there is evidence that the existence of collision-resistant hash functions is a strictly stronger assumption =-=[85]-=-. Public- and private-key encryption. An encryption scheme allows one party to send a message to another such that the contents of the message remain hidden from anyone intercepting the communication.... |

28 |
One-way functions are essential for complexity-based cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ... b ′ � � = b] − 1/2�, C ← Epk(mb); b ′ ← A Dsk(·) 2 where we require that A2 not submit C to its decryption oracle. One-way functions are necessary and sufficient for constructing semantically-secure =-=[78]-=- and chosenciphertext-secure [44] private-key encryption schemes. Message authentication codes. A message authentication code (mac) allows two parties, who have shared a secret key in advance, to auth... |

26 |
Foundations of Cryptography, Basic Tools. Cambridge university press,
- Goldreich
- 2001
(Show Context)
Citation Context ...ied and well-understood. A salient example is encryption, for which definitions and secure constructions have been given by, among others, Goldwasser and Micali [69] and Blum and Goldwasser [21] (see =-=[62]-=- for more details). The security desired from an encryption scheme against a passive eavesdropper is intuitive, even if developing a formal definition is more difficult: to prevent the adversary from ... |

24 |
Adaptive Zero Knowledge and Computational Equivocation (Extended Abstract
- Beaver
- 1996
(Show Context)
Citation Context ...com1, s); m2 = Decommit(σ,com2) : com1 �= com2 ∧ R(σ, D, m1, m2) = 1] Equivocable commitment schemes. Our constructions of non-malleable, perfect commitment schemes use equivocable commitment schemes =-=[2]-=- as a building block; such schemes have been used previously in designing non-malleable commitment protocols [40]. Informally, an equivocable commitment scheme in the public-parameter model is one for... |

23 | More Efficient Password Authenticated Key Exchange,
- MacKenzie
- 2001
(Show Context)
Citation Context ...assumptions (i.e., without random oracles or ideal ciphers). Subsequent to the work described in this chapter, other protocols with provable security in the random oracle model have been demonstrated =-=[90, 91]-=-. 3.1.2 Our Contribution Proofs of security in idealized models (random oracle/ideal cipher) do not necessarily translate to real-world security [29]. In fact, protocols are known which may be proven ... |

16 | Computer data authentication. Federal Information Processing Standards Publication 113 - FIPS - 1994 |

15 | Manyto-one trapdoor functions and their relations to publickey cryptosystems,
- Bellare, Halevi, et al.
- 1998
(Show Context)
Citation Context .... 19swhere we require that A2 not submit C to its decryption oracle. Semantically-secure public-key encryption schemes may be based on any (family of) trapdoor functions with polynomial preimage-size =-=[9]-=-; in particular, public-key cryptosystems exist based on the hardness of factoring [104] and RSA [107] assumptions. Security of the El-Gamal encryption scheme [51] is based on the DDH assumption. CCA2... |

14 |
Multi-Party Cryptographic Computation: Techniques and Applications
- Haber
- 1988
(Show Context)
Citation Context ... to V; note, however, that M does not actually know x ′ ! For many suggested applications of proofs of knowledge, preventing such attacks is essential. To give just one example, it has been suggested =-=[60, 75, 62]-=- (following [99]) to use interactive (zero-knowledge) proofs of knowledge to achieve chosen-ciphertext-secure (interactive) public-key encryption via the following construction: to encrypt a message m... |

13 |
Provably-Secure Password-Authenticated Key Exchange Using DiÆe-Hellman. Eurocrypt '00
- Boyko, MacKenzie, et al.
(Show Context)
Citation Context ...e over a network completely controlled by an adversary. Here, the password shared by two parties is explicitly modeled as a weak, human-memorizable secret which may be easily guessed by the adversary =-=[11, 24]-=-. Due to the inherent weakness of the password, a secure protocol must ensure (among other things) that an adversary can not determine the password — and hence 1 In the random oracle model, all partic... |

13 |
Symmetrie public·key encryption
- Haber, Yung
- 1985
(Show Context)
Citation Context ... to V; note, however, that M does not actually know x ′ ! For many suggested applications of proofs of knowledge, preventing such attacks is essential. To give just one example, it has been suggested =-=[60, 75, 62]-=- (following [99]) to use interactive (zero-knowledge) proofs of knowledge to achieve chosen-ciphertext-secure (interactive) public-key encryption via the following construction: to encrypt a message m... |

10 |
Protecting Poorly-Chosen Secret from Guessing Attacks,”
- Gong, Lomas, et al.
- 1993
(Show Context)
Citation Context ...the public key of the server), Lomas et. al [88] were the first to present password-based authentication protocols resistant to off-line dictionary attacks; these protocols were subsequently improved =-=[72]-=-. However, formal definitions and proofs of security are not given. Formal definitions and provably-secure protocols for the public-key setting were given by Halevi and Krawczyk [76], and extensions o... |

8 | On All-or-Nothing Transforms and Password-Authenticated Key Exchange - Boyko - 2000 |

7 |
Provably-Secure Session Key Distribution : The Three Party Case
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...nts of C remain hidden from the adversary even after interaction with the decryption oracle. Oracle-based models have also been proposed for analyzing key exchange and mutual authentication protocols =-=[13, 15, 11]-=-. In some cases, an oracle-based definition of security has been proven equivalent to a simulationbased definition [114] or to non-malleability [6, 16]. In these cases, it is often significantly easie... |

7 |
Reducing Risks from Poorly-Chosen Keys
- Lomas, Gong, et al.
- 1989
(Show Context)
Citation Context ...for new protocols in the password-only setting. In the public-key setting (where, as mentioned above, in addition to sharing a password the client requires the public key of the server), Lomas et. al =-=[88]-=- were the first to present password-based authentication protocols resistant to off-line dictionary attacks; these protocols were subsequently improved [72]. However, formal definitions and proofs of ... |

6 | Fast and Secure Immunization Against Adaptive Manin-the-Middle Impersonation. Eurocrypt ’97
- Cramer, Damg˚ard
(Show Context)
Citation Context ...ernate, simpler definitions for specific functionalities. We also remark that Canetti’s model does not necessarily deal with all possible types of man-in-the-middle attacks (e.g., those considered in =-=[81, 32, 44, 82]-=-). 2.2 The Model: Details The number of participants n is fixed during the initialization phase and is polynomial in the security parameter. We model the participants and the adversary as interactive ... |

6 |
Designated-Verifier Proofs and their Applications. Eurocrypt ’96
- Jakobsson, Sako, et al.
(Show Context)
Citation Context ...ernate, simpler definitions for specific functionalities. We also remark that Canetti’s model does not necessarily deal with all possible types of man-in-the-middle attacks (e.g., those considered in =-=[81, 32, 44, 82]-=-). 2.2 The Model: Details The number of participants n is fixed during the initialization phase and is polynomial in the security parameter. We model the participants and the adversary as interactive ... |

4 |
Skeme: A versatile secure key-exchange mechanism for the internet
- Krawczyk
- 1996
(Show Context)
Citation Context ...cols for these tasks were proposed (see [23] for an exhaustive bibliography), followed by increased realization that precise definitions and formalizations were necessary. The first formal treatments =-=[18, 43, 13, 15, 86, 4, 114]-=- were in a model in which participants had established cryptographically-strong information in advance of protocol execution: either a shared key [18, 13, 15, 4, 114] which is used for authentication ... |

3 |
A Proof of Plaintext Knowledge Protocol and Applications
- Aumann, Rabin
- 2001
(Show Context)
Citation Context ... of knowledge; previous work (e.g., [49]) considered concurrency only in the context of zero-knowledge. 5.1.2 Previous Work Proofs of plaintext knowledge are explicitly considered by Aumann and Rabin =-=[1]-=- who provide an elegant solution for any public-key encryption scheme. Our solutions improve upon theirs in many respects: (1) by working with specific, number-theoretic assumptions we vastly improve ... |

3 |
On the Security of the SPEKE Password-Authenticated KeyExchange Protocol
- MacKenzie
- 2001
(Show Context)
Citation Context ...assumptions (i.e., without random oracles or ideal ciphers). Subsequent to the work described in this chapter, other protocols with provable security in the random oracle model have been demonstrated =-=[90, 91]-=-. 3.1.2 Our Contribution Proofs of security in idealized models (random oracle/ideal cipher) do not necessarily translate to real-world security [29]. In fact, protocols are known which may be proven ... |

3 |
Non-Interactive and Information-Theoreticl Secure Verifiable Secret Sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...ting party cannot change his mind (binding) under assumptions about the computational power of the parties. An example will be instructive. In Figure 4.1, we illustrate the Pedersen commitment scheme =-=[103]-=- whose security is based on the hardness of computing discrete logarithms in group G of prime order q. First, the receiver R chooses two random generators g, h ∈ G and sends these to the sender S. To ... |

2 |
Probabilistic Encryption: Theory and Applications
- Goldwasser
- 1984
(Show Context)
Citation Context ... non-malleable standard commitment scheme. This connection between nonmalleable public-key encryption and non-malleable commitment seems not to have been noticed before. Following Blum and Goldwasser =-=[21, 68]-=- (who consider the case of semantic security for public-key encryption), we construct a communication-efficient, non-malleable standard commitment scheme from the following components: first, we use a... |

1 |
The Non-Malleability Lectures
- Dwork
- 1999
(Show Context)
Citation Context ...f above, we show that (4.1) is secure in the sense of NM-CCA2). This allows for much greater efficiency since NM-CPA public-key cryptosystems can be constructed more efficiently than IND-CCA2 schemes =-=[47]-=- and IND-P0-C2 symmetric-key schemes may be deterministic. We remark that the result in the theorem applies in the public random string model when chosen-ciphertext-secure dense [39] public-key encryp... |

1 |
The Representation Problem Based on Factoring. To appear, The Cryptographer’s Track at RSA Conference
- Fischlin, Fischlin
- 2002
(Show Context)
Citation Context ...ier V. Proofs of knowledge have a wide range of applications. They are crucial for secure two-party and multi-party computation [66], and have also been used to build interactive commitment protocols =-=[44, 59]-=- and identification schemes [56, 74, 111]. They may also be used to construct encryption 87sP (input x) M V r ← Zq y := g x ; A := g r z := cx + r ✛ y, A ✲ c z ✲ r ′ ← Zq y ′ := yg r′ z ′ := z + cr ′ ... |

1 |
Identity-Based Non-Interactive Zero-Knowledge
- Katz, Ostrovsky, et al.
- 2001
(Show Context)
Citation Context ...ernate, simpler definitions for specific functionalities. We also remark that Canetti’s model does not necessarily deal with all possible types of man-in-the-middle attacks (e.g., those considered in =-=[81, 32, 44, 82]-=-). 2.2 The Model: Details The number of participants n is fixed during the initialization phase and is polynomial in the security parameter. We model the participants and the adversary as interactive ... |