Results 11  20
of
153
Pseudonym Systems
, 1999
"... Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previou ..."
Abstract

Cited by 118 (11 self)
 Add to MetaCart
Pseudonym systems allow users to interact with multiple organizations anonymously, using pseudonyms. The pseudonyms cannot be linked, but are formed in such a way that a user can prove to one organization a statement about his relationship with another. Such statement is called a credential. Previous work in this area did not protect the system against dishonest users who collectively use their pseudonyms and credentials, i.e. share an identity. Previous practical schemes also relied very heavily on the involvement of a trusted center. In the present paper we give a formal definition of pseudonym systems where users are motivated not to share their identity, and in which the trusted center's involvement is minimal. We give theoretical constructions for such systems based on any oneway function. We also suggest an efficient and easy to implement practical scheme. This is joint work with Ronald L. Rivest and Amit Sahai.
Oneway accumulators: A decentralized alternative to digital signatures
, 1993
"... Abstract. This paper describes a simple candidate oneway hash function which satisfies a quasicommutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Spaceefficient distr ..."
Abstract

Cited by 114 (0 self)
 Add to MetaCart
Abstract. This paper describes a simple candidate oneway hash function which satisfies a quasicommutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Spaceefficient distributed protocols are given for document time stamping and for membership testing, and many other applications are possible. 1
Efficient Cryptographic Schemes Provably as Secure as Subset Sum
 Journal of Cryptology
, 1993
"... We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for sign ..."
Abstract

Cited by 78 (8 self)
 Add to MetaCart
We show very efficient constructions for a pseudorandom generator and for a universal oneway hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudorandom generators can be used for private key encryption and universal oneway hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed oneway function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88  13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...
OnLine/OffLine Digital Signatures
, 1994
"... A new type of signature scheme is proposed. It consists of two phases. The first phase is performed offline, before the message to be signed is even known. The second online phase is performed once the message to be signed is known, and is supposed to be very fast. A method for constructing such o ..."
Abstract

Cited by 72 (1 self)
 Add to MetaCart
A new type of signature scheme is proposed. It consists of two phases. The first phase is performed offline, before the message to be signed is even known. The second online phase is performed once the message to be signed is known, and is supposed to be very fast. A method for constructing such online/offline signature schemes is presented. The method uses onetime signature schemes, which are very fast, for the online signing. An ordinary signature scheme is used for the offline stage. In a practical implementation of our scheme, we use a variant of Rabin's signature scheme (based on factoring) and DES. In the online phase, all we use is a moderate amount of DES computation and a single modular multiplication. We stress that the costly modular exponentiation operation is performed offline. This implementation is ideally suited for electronic wallets or smart cards. A preliminary version appeared in the proceedings of Crypto89. OnLine/OffLine Digital Signing has obtained p...
Finding Collisions on a OneWay Street: Can Secure Hash Functions be Based on General Assumptions
, 1998
"... We prove the existence of an oracle relative to which there exist seveial wellknown cryptographic primitives, including oneway permutations, but excluding (for a suitably strong definition) collisionintractible hash functions. Thus any proof that such functions can be derived from these weaker ..."
Abstract

Cited by 72 (0 self)
 Add to MetaCart
We prove the existence of an oracle relative to which there exist seveial wellknown cryptographic primitives, including oneway permutations, but excluding (for a suitably strong definition) collisionintractible hash functions. Thus any proof that such functions can be derived from these weaker primitives is necessarily nonrelativizing; in particular, no provable construction of a collisionintractable hash function can exist based solely on a “black box ” oneway permutation. This result can be viewed as a partial justification for the common practice of treating the collisionintractable hash function as a cryptographic primitive, rather than attempting to derive it from a weaker primitive (such as a oneway permutation). Key words: Hash functions, oracle, cryptography, complexity theory 1
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41st IEEE Symposium on Foundations of Computer Science (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 61 (6 self)
 Add to MetaCart
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P = NP. 1
Strengthening Digital Signatures Via Randomized Hashing
 In CRYPTO
, 2006
"... Abstract. We propose randomized hashing as a mode of operation for cryptographic hash functions intended for use with standard digital signatures and without necessitating of any changes in the internals of the underlying hash function (e.g., the SHA family) or in the signature algorithms (e.g., RSA ..."
Abstract

Cited by 58 (2 self)
 Add to MetaCart
Abstract. We propose randomized hashing as a mode of operation for cryptographic hash functions intended for use with standard digital signatures and without necessitating of any changes in the internals of the underlying hash function (e.g., the SHA family) or in the signature algorithms (e.g., RSA or DSA). The goal is to free practical digital signature schemes from their current reliance on strong collision resistance by basing the security of these schemes on significantly weaker properties of the underlying hash function, thus providing a safety net in case the (current or future) hash functions in use turn out to be less resilient to collision search than initially thought. We design a specific mode of operation that takes into account engineering considerations (such as simplicity, efficiency and compatibility with existing implementations) as well as analytical soundness. Specifically, the scheme consists of a regular use of the hash function with randomization applied only to the message before it is input to the hash function. We formally show the sufficiency of weaker than collisionresistance assumptions for proving the security of the scheme. 1
HAVAL  A OneWay Hashing Algorithm with Variable Length of Output
, 1993
"... A oneway hashing algorithm is a deterministic algorithm that compresses an arbitrary long message into a value of specified length. The output value represents the fingerprint or digest of the message. A cryptographically useful property of a oneway hashing algorithm is that it is infeasible to fi ..."
Abstract

Cited by 51 (17 self)
 Add to MetaCart
A oneway hashing algorithm is a deterministic algorithm that compresses an arbitrary long message into a value of specified length. The output value represents the fingerprint or digest of the message. A cryptographically useful property of a oneway hashing algorithm is that it is infeasible to find two distinct messages that have the same fingerprint. This paper proposes a oneway hashing algorithm called HAVAL. HAVAL compresses a message of arbitrary length into a fingerprint of 128, 160, 192, 224 or 256 bits. In addition, HAVAL has a parameter that controls the number of passes a message block (of 1024 bits) is processed. A message block can be processed in 3, 4 or 5 passes. By combining output length with pass, we can provide fifteen (15) choices for practical applications where different levels of security are required. The algorithm is very efficient and particularly suited for 32bit computers which predominate the current workstation market. Experiments show that HAVAL is 60%...
PublicKey Cryptosystems Resilient to Key Leakage
"... Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidec ..."
Abstract

Cited by 51 (6 self)
 Add to MetaCart
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidechannel attacks, especially the “cold boot attacks ” of Halderman et al. (USENIX Security ’08), Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of sidechannel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of publickey encryption, Akavia et al. showed that Regev’s latticebased scheme (STOC ’05) is resilient to any leakage of
Security Preserving Amplification of Hardness
 FOCS
, 1990
"... We consider the task of transforming a weak oneway function (which may be easily inverted on all but a polynomial fraction of the range) into a strong oneway function (which can be easily inverted only on a negligible fraction of the range). The previous known transformation [Yao 82] does not pres ..."
Abstract

Cited by 51 (9 self)
 Add to MetaCart
We consider the task of transforming a weak oneway function (which may be easily inverted on all but a polynomial fraction of the range) into a strong oneway function (which can be easily inverted only on a negligible fraction of the range). The previous known transformation [Yao 82] does not preserve the security (i.e., the runningtime of the inverting algorithm) within any polynomial. Its resulting function F (x) applies the weak oneway function to many small (of length x  ε, ε <1) pieces of the input. Consequently, the function can be inverted for reasonable input lengths by exhaustive search. Using random walks on constructive expanders, we transform any regular (e.g., onetoone) weak oneway function into a strong one, while preserving security. The resulting function F (x) applies the weak oneway f to strings of length Θ(x). Our security preserving constructions yield efficient pseudorandom generators and signatures based on any regular oneway function.