Results 1  10
of
71
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 393 (11 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
(Show Context)
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
Progressionfree sets and sublinear pairingbased noninteractive zeroknowledge arguments
 In TCC
, 2012
"... Abstract. In 2010, Groth constructed the only previously known sublinearcommunication NIZK circuit satisfiability argument in the common reference string model. We optimize Groth’s argument by, in particular, reducing both the CRS length and the prover’s computational complexity from quadratic to q ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
Abstract. In 2010, Groth constructed the only previously known sublinearcommunication NIZK circuit satisfiability argument in the common reference string model. We optimize Groth’s argument by, in particular, reducing both the CRS length and the prover’s computational complexity from quadratic to quasilinear in the circuit size. We also use a (presumably) weaker security assumption, and have tighter security reductions. Our main contribution is to show that the complexity of Groth’s basic arguments is dominated by the quadratic number of monomials in certain polynomials. We collapse the number of monomials to quasilinear by using a recent construction of progressionfree sets.
Direct chosenciphertext secure identitybased key encapsulation without random oracles
 In ACISP 2006
, 2006
"... We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furt ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
(Show Context)
We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1
Elliptic curve cryptography: The serpentine course of a paradigm shift
 J. NUMBER THEORY
, 2008
"... Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.
Expressive keypolicy attributebased encryption with constantsize ciphertexts
 in Proceedings of 14th International Conference on Practice and Theory in Public Key Cryptography (PKC 2011
, 2011
"... Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that s ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exceptions only support restricted forms of threshold access policies. This paper proposes the first keypolicy attributebased encryption (KPABE) schemes allowing for nonmonotonic access structures (i.e., that may contain negated attributes) and with constant ciphertext size. Towards achieving this goal, we first show that a certain class of identitybased broadcast encryption schemes generically yields monotonic KPABE systems in the selective set model. We then describe a new efficient identitybased revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the first truly expressive KPABE realization with constantsize ciphertexts. The downside of these new constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KPABE schemes.
Zeroknowledge sets with short proofs
 In EUROCRYPT 2008, LNCS
, 2008
"... Abstract. Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Zero Knowledge Sets, introduced by Micali, Rabin and Kilian in
Concise Mercurial Vector Commitments and Independent ZeroKnowledge Sets with Short Proofs
"... Abstract. Introduced by Micali, Rabin and Kilian (MRK), the basic primitive of zeroknowledge sets (ZKS) allows a prover to commit to a secret set S so as to be able to prove statements such as x ∈ S or x ̸ ∈ S. Chase et al. showed that ZKS protocols are underlain by a cryptographic primitive termed ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Abstract. Introduced by Micali, Rabin and Kilian (MRK), the basic primitive of zeroknowledge sets (ZKS) allows a prover to commit to a secret set S so as to be able to prove statements such as x ∈ S or x ̸ ∈ S. Chase et al. showed that ZKS protocols are underlain by a cryptographic primitive termed mercurial commitment. A (trapdoor) mercurial commitment has two commitment procedures. At committing time, the committer can choose not to commit to a specific message and rather generate a dummy value which it will be able to softly open to any message without being able to completely open it. Hard commitments, on the other hand, can be hardly or softly opened to only one specific message. At Eurocrypt 2008, Catalano, Fiore and Messina (CFM) introduced an extension called trapdoor qmercurial commitment (qTMC), which allows committing to a vector of q messages. These qTMC schemes are interesting since their openings w.r.t. specific vector positions can be short (ideally, the opening length should not depend on q), which provides zeroknowledge sets with much shorter proofs when such a commitment is combined with a Merkle tree of arity q. The CFM construction notably features short proofs of nonmembership as it makes use of a qTMC scheme with short soft openings. A problem left open is that hard openings still have size O(q), which prevents proofs of membership from being as compact as those of nonmembership. In this paper, we solve this open problem and describe a new qTMC scheme where hard and soft positionwise openings, both, have constant size. We then show how our scheme is amenable to constructing independent zeroknowledge sets (i.e., ZKS schemes that prevent adversaries from correlating their set to the sets of honest provers, as defined by Gennaro and Micali). Our solution retains the short proof property for this important primitive as well. Keywords. Zeroknowledge databases, mercurial commitments, efficiency, independence. 1
General Ad Hoc Encryption from Exponent Inversion IBE
 In EUROCRYPT’07
, 2007
"... Abstract. Among the three broad classes of IdentityBased Encryption schemes built from pairings, the exponent inversion paradigm tends to be the most efficient, but also the least extensible: currently there are no hierarchical or other known extension of IBE based on those schemes. In this work, w ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Among the three broad classes of IdentityBased Encryption schemes built from pairings, the exponent inversion paradigm tends to be the most efficient, but also the least extensible: currently there are no hierarchical or other known extension of IBE based on those schemes. In this work, we show that such extensions can be realized from IBE systems that conform to a certain abstraction of the exponent inversion paradigm. Our method requires no random oracles, and is simple and efficient. 1
Another look at generic groups
 Advances in Mathematics of Communications
, 2006
"... (Communicated by Andreas Stein) Abstract. Starting with Shoup’s seminal paper [24], the generic group model has been an important tool in reductionist security arguments. After an informal explanation of this model and Shoup’s theorem, we discuss the danger of flaws in proofs. We next describe an on ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
(Communicated by Andreas Stein) Abstract. Starting with Shoup’s seminal paper [24], the generic group model has been an important tool in reductionist security arguments. After an informal explanation of this model and Shoup’s theorem, we discuss the danger of flaws in proofs. We next describe an ontological difference between the generic group assumption and the random oracle model for hash functions. We then examine some criticisms that have been leveled at the generic group model and raise some questions of our own. 1.