### Citations

1631 | Random oracles are practical: A paradigm for designing efficient protocols - Bellare, Rogaway - 1993 |

828 | Universally composable security: A new paradigm for cryptographic protocols”, in 42nd FOCS, 2001. Also available at http://eprint.iacr.org/2000/067. (Previous versions of this work appeared under the title “A unified framework for analyzing security of Pr
- Canetti
(Show Context)
Citation Context ...ecently, the study of problems in the generic models has been improved by the introduction of a new model named the semi-generic group model by Jager and Rupp [14]. This new model aims to cover the recently increased number of problems specially after the advent of pairing cryptography. 1.2 Related Work A main goal in cryptography is to implement adaptively secure protocols. So far only statically secure implementation from the information theoretical model1 are known. The idea is to implement them in the cryptographic model without erasure2. This approach is based on Canetti’s observation in [5, 6] that any CCA (chosen ciphertext attack) secure encryption scheme would work as a secure implementation as long as it has the non-committing3 property [6], and includes in the message two identification strings in order to protect against retransmission of the message by an attacker: one for the message (idm) and the other for the sender (idSEN). NON-COMMITTING ENCRYPTION AND PROGRAMMABILITY IN ROM. A particular result about the ROM was discovered by Nielsen in [21]. He was the first to observe that a specific property of the ROM is required to prove security for an entire class of encryption ... |

515 | Fast probabilistic algorithms for verification of polynomial identities
- Schwartz
- 1980
(Show Context)
Citation Context ... to associate a suitable computation consistent with m, therefore creating a non-committing ciphertext. Our main goal in this work is to study whether non-committing schemes are possible in generic models. We present our four models in Section 3. They are the programmable and the non-programmable GGM, and the GRM versions: the programmable and the non-programmable GRM. In Section 4.2, we illustrate our proof technique using the programmability by analyzing the ElGamal encryption scheme in the programmable GGM. Briefly, the proof gives a construction for a simulator and uses the Schwartz Lemma [22, 23] to find a lower bound in the distinguishing game. Thereby showing that ElGamal encryption scheme is non-committing under corruption of the sender and the receiver. In Section 5.2, we rely on the formulation and machinery for the GRM by Jager and Schwenk [16] to show that the Goldwasser-Micali (GM) is also a non-committing encryption scheme regarding only receiver corruptions in the programmable GRM. This result does not rule out the possibility of a noncommitting encryption scheme considering also sender corruptions, however it is sufficient to circumvent the result in [21] in the computation... |

288 | Lower bounds for discrete logarithms and related problems
- Shoup
- 1997
(Show Context)
Citation Context ...mmitting, programmability, generic ring model, generic group model 1 Introduction Before giving details of our contribution and motivation, we start by giving a short introduction of the evolution of generic models and a description of how the property of programmability has arisen originally in security proofs based on the random oracle model. 1.1 Background In the cryptographic literature the following models appear very often: (1) the random oracle model (ROM), and (2) the generic group model (GGM) and, its generalization, the generic ring model (GRM). The GGM, formally introduced by Shoup [23] and Nechaev [20], captures the situation that no property of the representation of the groups are available to be exploited. The only available features are the group operation and the equality test between two members of the group. Both features are modeled as a generic operation oracle. The generalized notion of GRM models all the ring operations, Journal of Internet Services and Information Security, volume: 1, number: 2/3, pp. 57-73 ∗Supported by Ministry of Education, Culture, Sports, Science and Technology. †Supported in part by NTT Information Sharing Platform Laboratories and Grant-in... |

142 | On the exact security of full domain hash. - Coron - 2000 |

113 |
Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited
- Canetti
(Show Context)
Citation Context ... giving the security proof. This result essentially means that there is no NINCE protocol in the standard model, since no hash function is known to exist with the programmability feature required by actual security proofs despite the efforts to construct this kind of primitives [13]. 1.3 Motivation The study of programmability in the generic models does not seem to have been proposed yet, although the idea of “programming the oracle” is not new, and even similarities, as gaps between the models and real situations, have been observed in the ROM and the GGM, e.g., Canetti, Goldreich and Halevi [7] and Dent [9]. Hence from a theoretical viewpoint, this work partially fills a gap regarding generic models in the current status of the research as shown in Table 1. The work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed more powerful, in the sense that more schemes can be proved secure. Therefore, from 1Where secure channels are assumed to exist. 2Where there are no secure channels and the parties are not trusted to erase their computation. 3Briefly, the encryption scheme that has the property of generating ciphertexts which can be op... |

95 | Adaptively secure multi-party computation
- Canetti, Feige, et al.
- 1996
(Show Context)
Citation Context ...ecently, the study of problems in the generic models has been improved by the introduction of a new model named the semi-generic group model by Jager and Rupp [14]. This new model aims to cover the recently increased number of problems specially after the advent of pairing cryptography. 1.2 Related Work A main goal in cryptography is to implement adaptively secure protocols. So far only statically secure implementation from the information theoretical model1 are known. The idea is to implement them in the cryptographic model without erasure2. This approach is based on Canetti’s observation in [5, 6] that any CCA (chosen ciphertext attack) secure encryption scheme would work as a secure implementation as long as it has the non-committing3 property [6], and includes in the message two identification strings in order to protect against retransmission of the message by an attacker: one for the message (idm) and the other for the sender (idSEN). NON-COMMITTING ENCRYPTION AND PROGRAMMABILITY IN ROM. A particular result about the ROM was discovered by Nielsen in [21]. He was the first to observe that a specific property of the ROM is required to prove security for an entire class of encryption ... |

95 | Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology.
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ...s of the research as shown in Table 1. The work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed more powerful, in the sense that more schemes can be proved secure. Therefore, from 1Where secure channels are assumed to exist. 2Where there are no secure channels and the parties are not trusted to erase their computation. 3Briefly, the encryption scheme that has the property of generating ciphertexts which can be opened to two different plaintexts. 58 Programmability in the Generic Ring and Group Models Larangeira and Tanaka ROM GGM GRM Gap [7, 19] [9, 11, 17] [16] Programmability [12, 21, 24] [This work] [This work] Table 1: Research on gaps and programmability for the ROM, the GGM and the GRM. a more practical viewpoint our approach of using the programmability of the generic operation oracle is interesting because it offers a new observation and an alternative to the reduction-centric two-step security proofs in the generic models. 1.4 Our Contribution In this paper we introduce the use of the programmability in the generic models. The intuition of our models comes from the two-step approach for security proofs. Recall that the lower... |

93 | Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case
- Nielsen
(Show Context)
Citation Context ...d of the classical two-step approach: (1) find an efficient reduction R from a problem P to an adversary breaking the scheme in some sense, and (2) use the GRM/GGM to find a lower bound in the complexity of solving P. We observe that in such a model the simulator can choose the outputs for the generic operation oracle in a similar fashion as the programmability property of the ROM. We introduce four models named programmable and non-programmable for the GGM and analogously for the GRM. We show that in the programmable generic models it is possible to turn around the negative result by Nielsen [21], regarding the non-committing encryption in the presence of an adversary who corrupts the receiver. We illustrate our idea by proving that the Goldwasser-Micali encryption scheme is a non-committing encryption scheme regarding corruption of the receiver in the programmable GRM. Whereas, for the programmable GGM, we show that the popular ElGamal encryption scheme is also non-committing despite the corruptions of the receiver and the sender. In both schemes the attack exposes the secret key. Keywords: Non-committing, programmability, generic ring model, generic group model 1 Introduction Before... |

75 |
Complexity of a determinate algorithm for the discrete logarithm,
- Nechaev
- 1994
(Show Context)
Citation Context ...mability, generic ring model, generic group model 1 Introduction Before giving details of our contribution and motivation, we start by giving a short introduction of the evolution of generic models and a description of how the property of programmability has arisen originally in security proofs based on the random oracle model. 1.1 Background In the cryptographic literature the following models appear very often: (1) the random oracle model (ROM), and (2) the generic group model (GGM) and, its generalization, the generic ring model (GRM). The GGM, formally introduced by Shoup [23] and Nechaev [20], captures the situation that no property of the representation of the groups are available to be exploited. The only available features are the group operation and the equality test between two members of the group. Both features are modeled as a generic operation oracle. The generalized notion of GRM models all the ring operations, Journal of Internet Services and Information Security, volume: 1, number: 2/3, pp. 57-73 ∗Supported by Ministry of Education, Culture, Sports, Science and Technology. †Supported in part by NTT Information Sharing Platform Laboratories and Grant-in-Aid for Scientif... |

58 | Possibility and impossibility results for encryption and commitment secure under selective opening. - Bellare, Hofheinz, et al. - 2009 |

50 |
Breaking RSA may not be equivalent to factoring.
- Boneh, Venkatesan
- 1998
(Show Context)
Citation Context ...adversary, and (2) show that the P is intractable in GGM. Since its introduction in the Nineties, it has been used to argue about the assumed hardness of computational problems, i.e., computing discrete logarithms, the computational Diffie-Hellman problem, the decisional Diffie-Hellman problem and etc. Maurer introduced a different formulation [18], which Jager and Schwenk showed to be equivalent to Shoup’s formulations [15] in a work which studies the models themselves. In 2008, the GGM was generalized to the GRM by Aggarwal and Maurer [1] using ideas already proposed by Boneh and Venkatesan [4]. Based on [1], Jager and Schwenk [16] improved once more the formulation of the GRM and showed that there are problems that can be solved efficiently in practice, however in the GRM they are equivalent to factoring the modulus N = p ·q. More recently, the study of problems in the generic models has been improved by the introduction of a new model named the semi-generic group model by Jager and Rupp [14]. This new model aims to cover the recently increased number of problems specially after the advent of pairing cryptography. 1.2 Related Work A main goal in cryptography is to implement adaptiv... |

32 | Programmable hash functions and their applications.
- Hofheinz, Kiltz
- 2008
(Show Context)
Citation Context ... and non-committing encryption (NINCE). The property name was coined the programmability of the ROM. Briefly, programmability is the power that B has to choose the output of the random oracle when interacting with the adversary (e.g., B chooses y arbitrarily and sets h(x) = y). That, ultimately, may help B in solving P, giving the security proof. This result essentially means that there is no NINCE protocol in the standard model, since no hash function is known to exist with the programmability feature required by actual security proofs despite the efforts to construct this kind of primitives [13]. 1.3 Motivation The study of programmability in the generic models does not seem to have been proposed yet, although the idea of “programming the oracle” is not new, and even similarities, as gaps between the models and real situations, have been observed in the ROM and the GGM, e.g., Canetti, Goldreich and Halevi [7] and Dent [9]. Hence from a theoretical viewpoint, this work partially fills a gap regarding generic models in the current status of the research as shown in Table 1. The work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed ... |

28 |
Abstract models of computation in cryptography
- Maurer
- 2005
(Show Context)
Citation Context ...t Services and Information Security, volume: 1, number: 2/3, pp. 57-73 ∗Supported by Ministry of Education, Culture, Sports, Science and Technology. †Supported in part by NTT Information Sharing Platform Laboratories and Grant-in-Aid for Scientific Research. 57 Programmability in the Generic Ring and Group Models Larangeira and Tanaka i.e., {+,−,×,/}, and tests for equality and existence of the inverse of the members of the ring. Both GGM and GRM have been used along the years to provide evidence for intractability of computational problems and to investigate relations between problems, e.g., [1, 18, 23]. One of the most famous use of the GGM is in provable security, precisely in the two-step security proofs. Namely, (1) find a reduction, say B, from a problem P to a successful adversary, and (2) show that the P is intractable in GGM. Since its introduction in the Nineties, it has been used to argue about the assumed hardness of computational problems, i.e., computing discrete logarithms, the computational Diffie-Hellman problem, the decisional Diffie-Hellman problem and etc. Maurer introduced a different formulation [18], which Jager and Schwenk showed to be equivalent to Shoup’s formulation... |

27 | Adapting the weaknesses of the random oracle model to the generic group model
- Dent
- 2002
(Show Context)
Citation Context ...ecurity proof. This result essentially means that there is no NINCE protocol in the standard model, since no hash function is known to exist with the programmability feature required by actual security proofs despite the efforts to construct this kind of primitives [13]. 1.3 Motivation The study of programmability in the generic models does not seem to have been proposed yet, although the idea of “programming the oracle” is not new, and even similarities, as gaps between the models and real situations, have been observed in the ROM and the GGM, e.g., Canetti, Goldreich and Halevi [7] and Dent [9]. Hence from a theoretical viewpoint, this work partially fills a gap regarding generic models in the current status of the research as shown in Table 1. The work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed more powerful, in the sense that more schemes can be proved secure. Therefore, from 1Where secure channels are assumed to exist. 2Where there are no secure channels and the parties are not trusted to erase their computation. 3Briefly, the encryption scheme that has the property of generating ciphertexts which can be opened to two d... |

26 | On the generic insecurity of the full domain hash. - Dodis, Oliveira, et al. - 2005 |

14 | Breaking RSA generically is equivalent to factoring
- Aggarwal, Maurer
- 2009
(Show Context)
Citation Context ...t Services and Information Security, volume: 1, number: 2/3, pp. 57-73 ∗Supported by Ministry of Education, Culture, Sports, Science and Technology. †Supported in part by NTT Information Sharing Platform Laboratories and Grant-in-Aid for Scientific Research. 57 Programmability in the Generic Ring and Group Models Larangeira and Tanaka i.e., {+,−,×,/}, and tests for equality and existence of the inverse of the members of the ring. Both GGM and GRM have been used along the years to provide evidence for intractability of computational problems and to investigate relations between problems, e.g., [1, 18, 23]. One of the most famous use of the GGM is in provable security, precisely in the two-step security proofs. Namely, (1) find a reduction, say B, from a problem P to a successful adversary, and (2) show that the P is intractable in GGM. Since its introduction in the Nineties, it has been used to argue about the assumed hardness of computational problems, i.e., computing discrete logarithms, the computational Diffie-Hellman problem, the decisional Diffie-Hellman problem and etc. Maurer introduced a different formulation [18], which Jager and Schwenk showed to be equivalent to Shoup’s formulation... |

13 | Another look at generic groups.
- Koblitz, Menezes
- 2006
(Show Context)
Citation Context ... research as shown in Table 1. The work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed more powerful, in the sense that more schemes can be proved secure. Therefore, from 1Where secure channels are assumed to exist. 2Where there are no secure channels and the parties are not trusted to erase their computation. 3Briefly, the encryption scheme that has the property of generating ciphertexts which can be opened to two different plaintexts. 58 Programmability in the Generic Ring and Group Models Larangeira and Tanaka ROM GGM GRM Gap [7, 19] [9, 11, 17] [16] Programmability [12, 21, 24] [This work] [This work] Table 1: Research on gaps and programmability for the ROM, the GGM and the GRM. a more practical viewpoint our approach of using the programmability of the generic operation oracle is interesting because it offers a new observation and an alternative to the reduction-centric two-step security proofs in the generic models. 1.4 Our Contribution In this paper we introduce the use of the programmability in the generic models. The intuition of our models comes from the two-step approach for security proofs. Recall that the lower bound in th... |

12 | Random oracles with(out) programmability.
- Fischlin, Lehmann, et al.
- 2010
(Show Context)
Citation Context ...e work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed more powerful, in the sense that more schemes can be proved secure. Therefore, from 1Where secure channels are assumed to exist. 2Where there are no secure channels and the parties are not trusted to erase their computation. 3Briefly, the encryption scheme that has the property of generating ciphertexts which can be opened to two different plaintexts. 58 Programmability in the Generic Ring and Group Models Larangeira and Tanaka ROM GGM GRM Gap [7, 19] [9, 11, 17] [16] Programmability [12, 21, 24] [This work] [This work] Table 1: Research on gaps and programmability for the ROM, the GGM and the GRM. a more practical viewpoint our approach of using the programmability of the generic operation oracle is interesting because it offers a new observation and an alternative to the reduction-centric two-step security proofs in the generic models. 1.4 Our Contribution In this paper we introduce the use of the programmability in the generic models. The intuition of our models comes from the two-step approach for security proofs. Recall that the lower bound in the complexity in the GRM and the GG... |

11 | A note on security proofs in the generic model.
- Fischlin
- 1976
(Show Context)
Citation Context ... research as shown in Table 1. The work of Nielsen confirms the intuition that proofs which rely on the programmability of the model are indeed more powerful, in the sense that more schemes can be proved secure. Therefore, from 1Where secure channels are assumed to exist. 2Where there are no secure channels and the parties are not trusted to erase their computation. 3Briefly, the encryption scheme that has the property of generating ciphertexts which can be opened to two different plaintexts. 58 Programmability in the Generic Ring and Group Models Larangeira and Tanaka ROM GGM GRM Gap [7, 19] [9, 11, 17] [16] Programmability [12, 21, 24] [This work] [This work] Table 1: Research on gaps and programmability for the ROM, the GGM and the GRM. a more practical viewpoint our approach of using the programmability of the generic operation oracle is interesting because it offers a new observation and an alternative to the reduction-centric two-step security proofs in the generic models. 1.4 Our Contribution In this paper we introduce the use of the programmability in the generic models. The intuition of our models comes from the two-step approach for security proofs. Recall that the lower bound in th... |

6 | On the analysis of cryptographic assumptions in the generic ring model.
- Jager, Schwenk
- 2009
(Show Context)
Citation Context ... intractable in GGM. Since its introduction in the Nineties, it has been used to argue about the assumed hardness of computational problems, i.e., computing discrete logarithms, the computational Diffie-Hellman problem, the decisional Diffie-Hellman problem and etc. Maurer introduced a different formulation [18], which Jager and Schwenk showed to be equivalent to Shoup’s formulations [15] in a work which studies the models themselves. In 2008, the GGM was generalized to the GRM by Aggarwal and Maurer [1] using ideas already proposed by Boneh and Venkatesan [4]. Based on [1], Jager and Schwenk [16] improved once more the formulation of the GRM and showed that there are problems that can be solved efficiently in practice, however in the GRM they are equivalent to factoring the modulus N = p ·q. More recently, the study of problems in the generic models has been improved by the introduction of a new model named the semi-generic group model by Jager and Rupp [14]. This new model aims to cover the recently increased number of problems specially after the advent of pairing cryptography. 1.2 Related Work A main goal in cryptography is to implement adaptively secure protocols. So far only stat... |

5 |
The semi-generic group model and applications to pairing-based cryptography.
- Jager, Rupp
- 2010
(Show Context)
Citation Context ...up’s formulations [15] in a work which studies the models themselves. In 2008, the GGM was generalized to the GRM by Aggarwal and Maurer [1] using ideas already proposed by Boneh and Venkatesan [4]. Based on [1], Jager and Schwenk [16] improved once more the formulation of the GRM and showed that there are problems that can be solved efficiently in practice, however in the GRM they are equivalent to factoring the modulus N = p ·q. More recently, the study of problems in the generic models has been improved by the introduction of a new model named the semi-generic group model by Jager and Rupp [14]. This new model aims to cover the recently increased number of problems specially after the advent of pairing cryptography. 1.2 Related Work A main goal in cryptography is to implement adaptively secure protocols. So far only statically secure implementation from the information theoretical model1 are known. The idea is to implement them in the cryptographic model without erasure2. This approach is based on Canetti’s observation in [5, 6] that any CCA (chosen ciphertext attack) secure encryption scheme would work as a secure implementation as long as it has the non-committing3 property [6], a... |

2 |
On the equivalence of generic group models.
- Jager, Schwenk
- 2008
(Show Context)
Citation Context ...One of the most famous use of the GGM is in provable security, precisely in the two-step security proofs. Namely, (1) find a reduction, say B, from a problem P to a successful adversary, and (2) show that the P is intractable in GGM. Since its introduction in the Nineties, it has been used to argue about the assumed hardness of computational problems, i.e., computing discrete logarithms, the computational Diffie-Hellman problem, the decisional Diffie-Hellman problem and etc. Maurer introduced a different formulation [18], which Jager and Schwenk showed to be equivalent to Shoup’s formulations [15] in a work which studies the models themselves. In 2008, the GGM was generalized to the GRM by Aggarwal and Maurer [1] using ideas already proposed by Boneh and Venkatesan [4]. Based on [1], Jager and Schwenk [16] improved once more the formulation of the GRM and showed that there are problems that can be solved efficiently in practice, however in the GRM they are equivalent to factoring the modulus N = p ·q. More recently, the study of problems in the generic models has been improved by the introduction of a new model named the semi-generic group model by Jager and Rupp [14]. This new model a... |