Results 11  20
of
63
New and improved constructions of nonmalleable cryptographic protocols
 In 37th Annual ACM Symposium on Theory of Computing
, 2005
"... We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions eith ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions either relied on the existence of trapdoor permutations and hash functions that are collision resistant against subexponential sized circuits, or required a superconstant number of rounds. Additional results are the first construction of a nonmalleable commitment scheme that is statistically hiding (with respect to opening), and the first nonmalleable commitments that satisfy a strict polynomialtime simulation requirement. Our approach differs from the approaches taken in previous works in that we view nonmalleable zeroknowledge as a buildingblock rather than an end goal. This gives rise to a modular construction of nonmalleable commitments and results in a somewhat simpler analysis.
Simulation in quasipolynomial time, and its application to protocol composition
 In EUROCRYPT
, 2003
"... Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concur ..."
Abstract

Cited by 39 (10 self)
 Add to MetaCart
Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concurrent quasipolynomial time simulatable arguments and show that such arguments can be used in advanced composition operations without any setup assumptions. Our protocols rely on slightly strong, but standard type assumptions (namely the existence of onetoone oneway functions secure against subexponential circuits). 1
On SimulationSound Trapdoor Commitments
 In proceedings of EUROCRYPT ’04, LNCS series
, 2003
"... We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any oneway functions, and how to construct very efficient SSTC schemes based on specific numbertheoretic assumptions. We also show how to construct simulationsound, nonmalleable, and universallycomposable zeroknowledge protocols using SSTC schemes, yielding, for instance, the most efficient universallycomposable zeroknowledge protocols known. Finally, we explore the relation between SSTC schemes and nonmalleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are nonmalleable.
Concurrent nonmalleable commitments
 In FOCS
, 2005
"... We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a ..."
Abstract

Cited by 34 (11 self)
 Add to MetaCart
We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a receiver, cannot make the values he commits to depend on the values he receives commitments to. Our result is achieved without assuming an apriori bound on the number of executions and without relying on any setup assumptions. Our construction relies on the existence of standard clawfree permutations and only requires a constant number of communication rounds. 1
From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again
, 2011
"... The existence of succinct noninteractive arguments for NP (i.e., noninteractive computationallysound proofs where the verifier’s work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in ..."
Abstract

Cited by 32 (13 self)
 Add to MetaCart
The existence of succinct noninteractive arguments for NP (i.e., noninteractive computationallysound proofs where the verifier’s work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in the random oracle model [Micali, FOCS ’94], the only existing candidate construction is based on an elaborate assumption that is tailored to a specific protocol [Di Crescenzo and Lipmaa, CiE ’08]. We formulate a general and relatively natural notion of an extractable collisionresistant hash function (ECRH) and show that, if ECRHs exist, then a modified version of Di Crescenzo and Lipmaa’s protocol is a succinct noninteractive argument for NP. Furthermore, the modified protocol is actually a succinct noninteractive adaptive argument of knowledge (SNARK). We then propose several candidate constructions for ECRHs and relaxations thereof. We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct noninteractive zero knowledge arguments, and to succinct twoparty secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of
Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer
, 1999
"... We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup phase. ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup phase. The scheme also utilizes private channels between each pair of parties. The Sender is able to easily commit to a large value; the scheme is not just a "bitcommitment " scheme. We also observe that 1outofn oblivious transfer is easily handled in the same model, using a simple OT protocol due to Bennett et al.[2].
Reducing complexity assumptions for statisticallyhiding commitment
 In EUROCRYPT
, 2005
"... We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize one ..."
Abstract

Cited by 26 (8 self)
 Add to MetaCart
We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize oneway function. These are oneway functions for which it is possible to efficiently approximate the number of preimages of a given output. A special case is the class of regular oneway functions where all points in the image of the function have the same number of preimages. We also prove two additional results related to statisticallyhiding commitment. First, we prove a (folklore) parallel composition theorem showing, roughly speaking, that the statistical hiding property of any such commitment scheme is amplified exponentially when multiple independent parallel executions of the scheme are carried out. Second, we show a compiler which transforms any commitment scheme which is statistically hiding against an honestbutcurious receiver into one which is statistically hiding even against a malicious receiver. 1
The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance
"... As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intellige ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
As increasing amounts of valuable information are produced and persist digitally, the ability to determine the origin of data becomes important. In science, medicine, commerce, and government, data provenance tracking is essential for rights protection, regulatory compliance, management of intelligence and medical data, and authentication of information as it flows through workplace tasks. In this paper, we show how to provide strong integrity and confidentiality assurances for data provenance information. We describe our provenanceaware system prototype that implements provenance tracking of data writes at the application layer, which makes it extremely easy to deploy. We present empirical results that show that, for typical reallife workloads, the runtime overhead of our approach to recording provenance with confidentiality and integrity guarantees ranges from 1 % – 13%. 1
Cryptographic primitives enforcing communication and storage complexity
 In Financial Cryptography (FC 2002
, 2003
"... Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the abili ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the ability to compute these primitives constitutes certain “proof of work, ” because the computing party is forced to contribute a lot of its communication or storage resources to this task. Such primitives can be used in applications which deal with nonmalicious but selfishly resourcemaximizing parties. For example, they can be useful in constructing peertopeer systems which are robust against so called “free riders. ” In this paper we define two such primitives, a communicationenforcing signature and a storageenforcing commitment scheme, and we give constructions for both.
Spate: Smallgroup pkiless authenticated trust establishment
 In MobiSys
, 2009
"... Establishing trust between a group of individuals remains a difficult problem. Prior works assume trusted infrastructure, require an individual to trust unknown entities, or provide relatively low probabilistic guarantees of authenticity (95% for realistic settings). This work presents SPATE, a prim ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
Establishing trust between a group of individuals remains a difficult problem. Prior works assume trusted infrastructure, require an individual to trust unknown entities, or provide relatively low probabilistic guarantees of authenticity (95% for realistic settings). This work presents SPATE, a primitive that allows users to establish trust via device mobility and physical interaction. Once the SPATE protocol runs to completion, its participants ’ mobile devices have authentic data that their applications can use to interact securely (i.e., the probability of a successful attack is 2 −24). For this work, we leverage SPATE as part of a larger system to facilitate efficient, secure, and userfriendly collaboration via email and filesharing services. Our implementation of SPATE on Nokia N70 smartphones allows users to establish trust in small groups of up to eight users in less than one minute. The two example SPATE applications provide increased security with no overhead noticeable to users once keys are established.