Results 1  10
of
55
SessionKey Generation using Human Passwords Only
, 2001
"... We present sessionkey generation protocols in a model where the legitimate parties share only a humanmemorizable password. The security guarantee holds with respect to probabilistic polynomialtime adversaries that control the communication channel (between the parties), and may omit, insert and ..."
Abstract

Cited by 76 (7 self)
 Add to MetaCart
We present sessionkey generation protocols in a model where the legitimate parties share only a humanmemorizable password. The security guarantee holds with respect to probabilistic polynomialtime adversaries that control the communication channel (between the parties), and may omit, insert and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable to an attack in which an adversary is only allowed to make a constant number of queries of the form “is w the password of Party A”. We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not clear whether or not such protocols were attainable without the use of random oracles or additional setup assumptions.
Notions of Reducibility between Cryptographic Primitives
, 2004
"... Starting with the seminal paper of Impagliazzo and Rudich [18], there has been a large body of work showing that various cryptographic primitives cannot be reduced to each other via "blackbox" reductions. ..."
Abstract

Cited by 64 (7 self)
 Add to MetaCart
Starting with the seminal paper of Impagliazzo and Rudich [18], there has been a large body of work showing that various cryptographic primitives cannot be reduced to each other via "blackbox" reductions.
Lower bounds on the Efficiency of Generic Cryptographic Constructions
 41ST IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS), IEEE
, 2000
"... A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we ..."
Abstract

Cited by 61 (6 self)
 Add to MetaCart
A central focus of modern cryptography is the construction of efficient, “highlevel” cryptographic tools (e.g., encryption schemes) from weaker, “lowlevel ” cryptographic primitives (e.g., oneway functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentiallytight lower bounds on the best possible efficiency of any blackbox construction of some fundamental cryptographic tools from the most basic and widelyused cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal oneway hash functions, and digital signatures based on oneway permutations, as well as constructions of public and privatekey encryption schemes based on trapdoor permutations. In each case, we show that any blackbox construction beating our efficiency bound would yield the unconditional existence of a oneway function and thus, in particular, prove P != NP.
Extending Oblivious Transfers Efficiently
, 2003
"... We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in pract ..."
Abstract

Cited by 60 (1 self)
 Add to MetaCart
We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, in part due to its nonblackbox use of the underlying oneway function.
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 33 (11 self)
 Add to MetaCart
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
ChosenCiphertext Security via Correlated Products
"... We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction o ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction of publickey encryption schemes that are secure against chosenciphertext attacks (CCA). We show that any collection of injective trapdoor functions that is secure under very natural correlated products can be used to construct a CCAsecure publickey encryption scheme. The construction is simple, blackbox, and admits a direct proof of security. We provide evidence that security under correlated products is achievable by demonstrating that any collection of lossy trapdoor functions, a powerful primitive introduced by Peikert and Waters (STOC ’08), yields a collection of injective trapdoor functions that is secure under the above mentioned natural correlated products. Although we eventually base security under correlated products on lossy trapdoor functions, we argue that the former notion is potentially weaker as a general assumption. Specifically, there is no fullyblackbox construction of lossy trapdoor functions from trapdoor functions that are secure under correlated products.
On robust combiners for oblivious transfer and other primitives
 In Proc. Eurocrypt ’05
, 2005
"... At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19. ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19.
On the (Im)Possibility of Key Dependent Encryption
"... We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduct ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
We study the possibility of constructing encryption schemes secure under messages that are chosen depending on the key k of the encryption scheme itself. We give the following separation results: • Let H be the family of poly(n)wise independent hashfunctions. There exists no fullyblackbox reduction from an encryption scheme secure against keydependent inputs to oneway permutations (and also to families of trapdoor permutations) if the adversary can obtain encryptions of h(k) for h ∈ H. • Let G be the family of polynomial sized circuits. There exists no reduction from an encryption scheme secure against keydependent inputs to, seemingly, any cryptographic assumption, if the adversary can obtain an encryption of g(k) for g ∈ G, as long as the reduction’s proof of security treats both the adversary and the function g as black box. Keywords: Keydependent input security, blackbox separation 1
Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins
 In Proc. Crypto ’04
, 2004
"... Abstract. Many cryptographic primitives begin with parameter generation, which picks a primitive from a family. Such generation can use public coins (e.g., in the discretelogarithmbased case) or secret coins (e.g., in the factoringbased case). We study the relationship between publiccoin and secr ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
Abstract. Many cryptographic primitives begin with parameter generation, which picks a primitive from a family. Such generation can use public coins (e.g., in the discretelogarithmbased case) or secret coins (e.g., in the factoringbased case). We study the relationship between publiccoin and secretcoin collisionresistant hash function families (CRHFs). Specifically, we demonstrate that: – there is a lack ofattention to the distinction between secretcoin and publiccoin definitions in the literature, which has led to some problems in the case ofCRHFs; – in some cases, publiccoin CRHFs can be built out ofsecretcoin CRHFs; – the distinction between the two notions is meaningful, because in general secretcoin CRHFs are unlikely to imply publiccoin CRHFs. The last statement above is our main result, which states that there is no blackbox reduction from publiccoin CRHFs to secretcoin CRHFs. Our prooffor this result, while employing oracle separations, uses a novel approach, which demonstrates that there is no blackbox reduction without demonstrating that there is no relativizing reduction.
On the Impossibility of Constructing NonInteractive StatisticallySecret Protocols from any Trapdoor OneWay Function
 In Topics in Cryptology  The Cryptographers’ Track at the RSA Conference
, 2002
"... We show that noninteractive statisticallysecret bit commitment cannot be constructed from arbitrary blackbox onetoone trapdoor functions and thus from general publickey cryptosystems. Reducing the problems of noninteractive cryptocomputing, rerandomizable encryption, and noninteractive stat ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
We show that noninteractive statisticallysecret bit commitment cannot be constructed from arbitrary blackbox onetoone trapdoor functions and thus from general publickey cryptosystems. Reducing the problems of noninteractive cryptocomputing, rerandomizable encryption, and noninteractive statisticallysenderprivate oblivious transfer and lowcommunication private information retrieval to such commitment schemes, it follows that these primitives are neither constructible from onetoone trapdoor functions and publickey encryption in general. Furthermore, our...