Results 1  10
of
33
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 447 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Design and Analysis of Practical PublicKey Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack
 SIAM Journal on Computing
, 2001
"... A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption sc ..."
Abstract

Cited by 189 (11 self)
 Add to MetaCart
A new public key encryption scheme, along with several variants, is proposed and analyzed. The scheme and its variants are quite practical, and are proved secure against adaptive chosen ciphertext attack under standard intractability assumptions. These appear to be the first publickey encryption schemes in the literature that are simultaneously practical and provably secure.
A Proposal for an ISO Standard for Public Key Encryption (version 2.0)
, 2001
"... This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed. ..."
Abstract

Cited by 111 (3 self)
 Add to MetaCart
This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.
Priced Oblivious Transfer: How to Sell Digital Goods
 In Birgit Pfitzmann, editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science
, 2001
"... Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose s ..."
Abstract

Cited by 95 (5 self)
 Add to MetaCart
Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose solutions which allow the buyer, after making an initial deposit, to engage in an unlimited number of priced oblivioustransfer protocols, satisfying the following requirements: As long as the buyer’s balance contains sufficient funds, it will successfully retrieve the selected item and its balance will be debited by the item’s price. However, the buyer should be unable to retrieve an item whose cost exceeds its remaining balance. The vendor should learn nothing except what must inevitably be learned, namely, the amount of interaction and the initial deposit amount (which imply upper bounds on the quantity and total price of all information obtained by the buyer). In particular, the vendor should be unable to learn what the buyer’s current balance is or when it actually runs out of its funds. The technical tools we develop, in the process of solving this problem, seem to be of independent interest. In particular, we present the first oneround (twopass) protocol for oblivious transfer that does not rely on the random oracle model (a very similar protocol was independently proposed by Naor and Pinkas [21]). This protocol is a special case of a more general “conditional disclosure ” methodology, which extends a previous approach from [11] and adapts it to the 2party setting. 1
OneRound Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract)
, 2000
"... This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob ..."
Abstract

Cited by 71 (0 self)
 Add to MetaCart
This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob to Alice. A model in which Bob may be computationally unbounded is investigated, which corresponds to informationtheoretic security for Alice. It is shown that 1. for honestbutcurious behavior and unbounded Bob, any function computable by a polynomialsize circuit can be computed securely assuming the hardness of the decisional DiffieHellman problem; 2. for malicious behavior by both (bounded) parties, any function computable by a polynomialsize circuit can be computed securely, in a publickey framework, assuming the hardness of the decisional DiffieHellman problem.
Efficient SelectiveID Secure Identity Based Encryption without Random Oracles
 Proceedings of Eurocrypt 2004, volume 3027 of LNCS
, 2004
"... We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to ..."
Abstract

Cited by 68 (9 self)
 Add to MetaCart
We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.
Dynamic Group DiffieHellman Key Exchange under Standard Assumptions
, 2002
"... authenticated Di#eHellman key exchange allows two principals communicating over a public network, and each holding public /private keys, to agree on a shared secret value. In this paper we study the natural extension of this cryptographic problem to a group of principals. We begin from existing ..."
Abstract

Cited by 57 (11 self)
 Add to MetaCart
authenticated Di#eHellman key exchange allows two principals communicating over a public network, and each holding public /private keys, to agree on a shared secret value. In this paper we study the natural extension of this cryptographic problem to a group of principals. We begin from existing formal security models and refine them to incorporate major missing details (e.g., strongcorruption and concurrent sessions). Within this model we define the execution of a protocol for authenticated dynamic group Di#eHellman and show that it is provably secure under the decisional Di#eHellman assumption. Our security result holds in the standard model and thus provides better security guarantees than previously published results in the random oracle model.
Efficient Trace and Revoke Schemes
 Financial Cryptography  FC 2000
, 2000
"... Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start b ..."
Abstract

Cited by 53 (1 self)
 Add to MetaCart
Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of up to t users. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self enforcement properties. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), in order to make users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.
Applications of Multilinear Forms to Cryptography
 Contemporary Mathematics
, 2002
"... We study the problem of finding efficiently computable nondegenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such ..."
Abstract

Cited by 51 (7 self)
 Add to MetaCart
We study the problem of finding efficiently computable nondegenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such maps, and give some reasons to believe that finding examples with n > 2 may be difficult.
Multilinear Formulas and Skepticism of Quantum Computing
 In Proc. ACM STOC
, 2004
"... Several researchers, including Leonid Levin, Gerard 't Hooft, and Stephen Wolfram, have argued that quantum mechanics will break down before the factoring of large numbers becomes possible. If this is true, then there should be a natural "Sure/Shor separator"that is, a set of quantum states tha ..."
Abstract

Cited by 30 (7 self)
 Add to MetaCart
Several researchers, including Leonid Levin, Gerard 't Hooft, and Stephen Wolfram, have argued that quantum mechanics will break down before the factoring of large numbers becomes possible. If this is true, then there should be a natural "Sure/Shor separator"that is, a set of quantum states that can account for all experiments performed to date, but not for Shor's factoring algorithm. We propose as a candidate the set of states expressible by a polynomial number of additions and tensor products. Using a recent lower bound on multilinear formula size due to Raz, we then show that states arising in quantum errorcorrection require n## additions and tensor products even to approximate, which incidentally yields the first superpolynomial gap between general and multilinear formula size of functions. More broadly, we introduce a complexity classification of pure quantum states, and prove many basic facts about this classification. Our goal is to refine vague ideas about a breakdown of quantum mechanics into specific hypotheses that might be experimentally testable in the near future.