Results 1  10
of
85
A Fuzzy Commitment Scheme
 ACM CCS'99
, 1999
"... We combine wellknown techniques from the areas of errorcorrecting codes and cryptography to achieve a new type of cryptographic primitive that we refer to as a fuzzy commitment scheme. Like a conventional cryptographic commitment scheme, our fuzzy commitment scheme is both concealing and binding: i ..."
Abstract

Cited by 204 (1 self)
 Add to MetaCart
We combine wellknown techniques from the areas of errorcorrecting codes and cryptography to achieve a new type of cryptographic primitive that we refer to as a fuzzy commitment scheme. Like a conventional cryptographic commitment scheme, our fuzzy commitment scheme is both concealing and binding: it is infeasible for an attacker to learn the committed value, and also for the committer to decommit a value in more than one way. In a conventional scheme, a commitment must be opened using a unique witness, which acts, essentially, as a decryption key. By contrast, our scheme is fuzzy in the sense that it accepts a witness that is close to the original encrypting witness in a suitable metric, but not necessarily identical. This characteristic of our fuzzy commitment scheme makes it useful for applications such as biometric authentication systems, in which data is subject to random noise. Because the scheme is tolerant of error, it is capable of protecting biometric data just as conventional cryptographic techniques, like hash functions, are used to protect alphanumeric passwords. This addresses a major outstanding problem in the theory of biometric authentication. We prove the security characteristics of our fuzzy commitment scheme relative to the properties of an underlying cryptographic hash function.
Experimental Quantum Cryptography
 Journal of Cryptology
, 1992
"... We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the ..."
Abstract

Cited by 195 (20 self)
 Add to MetaCart
We describe results from an apparatus and protocol designed to implement quantum key distribution, by which two users, who share no secret information initially: 1) exchange a random quantum transmission, consisting of very faint flashes of polarized light; 2) by subsequent public discussion of the sent and received versions of this transmission estimate the extent of eavesdropping that might have taken place on it, and finally 3) if this estimate is small enough, distill from the sent and received versions a smaller body of shared random information, which is certifiably secret in the sense that any third party's expected information on it is an exponentially small fraction of one bit. Because the system depends on the uncertainty principle of quantum physics, instead of usual mathematical assumptions such as the difficulty of factoring, it remains secure against an adversary with unlimited computing power. A preliminary version of this paper was presented at Eurocrypt '90, May 21 ...
A fuzzy vault scheme
 In International Symposium on Information Theory (ISIT
, 2002
"... Abstract. We describe a simple and novel cryptographic construction that we refer to as a fuzzy vault. A player Alice may place a secret value κ in a fuzzy vault and “lock ” it using a set A of elements from some public universe U. If Bob tries to “unlock ” the vault using a set B of similar length, ..."
Abstract

Cited by 183 (1 self)
 Add to MetaCart
Abstract. We describe a simple and novel cryptographic construction that we refer to as a fuzzy vault. A player Alice may place a secret value κ in a fuzzy vault and “lock ” it using a set A of elements from some public universe U. If Bob tries to “unlock ” the vault using a set B of similar length, he obtains κ only if B is close to A, i.e., only if A and B overlap substantially. In constrast to previous constructions of this flavor, ours possesses the useful feature of order invariance, meaning that the ordering of A and B is immaterial to the functioning of the vault. As we show, our scheme enjoys provable security against a computationally unbounded attacker.
Fair Computation of General Functions in Presence of Immoral Majority
, 1990
"... This paper describes a method for n players, a majority of which may be faulty, to compute correctly, privately, and fairly any computable function f(Xl,...,x,) where xi is the input of the ith player. The method uses as a building block an oblivious transfer primitive. Previous methods achieved th ..."
Abstract

Cited by 94 (1 self)
 Add to MetaCart
This paper describes a method for n players, a majority of which may be faulty, to compute correctly, privately, and fairly any computable function f(Xl,...,x,) where xi is the input of the ith player. The method uses as a building block an oblivious transfer primitive. Previous methods achieved these properties, only for boolean functions, which, in particular, precluded composition of such protocols. We also propose a simpler definition of security for multiplayer protocols which still implies previous definitions of privacy and correctness. 1
Practical Quantum Oblivious Transfer
, 1992
"... We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about ..."
Abstract

Cited by 73 (12 self)
 Add to MetaCart
We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he will learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol is easy to modify in order to implement the AllorNothing Disclosure of one out of two string messages, and it can be used to implement bit commitment and oblivious circuit evaluation without complexitytheoretic assumptions, in a way that remains secure e...
A Quantum Bit Commitment Scheme Provably Unbreakable by both Parties
, 1993
"... Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be ..."
Abstract

Cited by 68 (12 self)
 Add to MetaCart
Assume that a party, Alice, has a bit x in mind, to which she would like to be committed toward another party, Bob. That is, Alice wishes, through a procedure commit(x), to provide Bob with a piece of evidence that she has a bit x in mind and that she cannot change it. Meanwhile, Bob should not be able to tell from that evidence what x is. At a later time, Alice can reveal, through a procedure unveil(x), the value of x and prove to Bob that the piece of evidence sent earlier really corresponded to that bit. Classical bit commitment schemes (by which Alice's piece of evidence is classical information such as a bit string) cannot be secure against unlimited computing power and none have been proven secure against algorithmic sophistication. Previous quantum bit commitment schemes (by which Alice's piece of evidence is quantum information such as a stream of polarized photons) were known to be invulnerable to unlimited computing power and algorithmic sophistication, but not to arbitrary...
Efficient Cryptographic Protocols based on Noisy Channels
, 1996
"... The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a crypto ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires\Omega\Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O(n 3 ) bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [1] that allow two people to extract secret information from partially compromised data. 1 Introduction The cryptographic power of...
Committed Oblivious Transfer and Private MultiParty Computation
, 1995
"... . In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b ..."
Abstract

Cited by 50 (10 self)
 Add to MetaCart
. In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b . Our protocol, based on the properties of error correcting codes, uses Bit Commitment (bc) and oneoutoftwo Oblivious Transfer (ot) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of bc and ot used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private MultiParty Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of bcs and ots performed. Our approach connects Zero Knowledge proofs on bcs, Oblivious Circuit Evaluation and Private MultiParty ...
Oblivious Transfers and Intersecting Codes
, 1996
"... Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft St ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft String Oblivious Transfer, denoted ( t 1 )OT k 2 . This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 and t = 2 of two onebit secrets: this is known as Oneoutoftwo Bit Oblivious Transfer, denoted ( 2 1 )OT 2 . We address the question of implementing ( t 1 )OT k 2 assuming the existence of a ( 2 1 )OT 2 . In particular, we prove that unconditionally secure ( 2 1 )OT k 2 can be implemented from \Theta(k) calls to ( 2 1 )OT 2 . This is optimal up to a small multiplicative constant. Our solution is based on the notion of selfintersecting codes. Of independent interest, we give several...
Unconditional Security Against MemoryBounded Adversaries
 In Advances in Cryptology – CRYPTO ’97, Lecture Notes in Computer Science
, 1997
"... We propose a privatekey cryptosystem and a protocol for key agreement by public discussion that are unconditionally secure based on the sole assumption that an adversary's memory capacity is limited. No assumption about her computing power is made. The scenario assumes that a random bit string of l ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
We propose a privatekey cryptosystem and a protocol for key agreement by public discussion that are unconditionally secure based on the sole assumption that an adversary's memory capacity is limited. No assumption about her computing power is made. The scenario assumes that a random bit string of length slightly larger than the adversary's memory capacity can be received by all parties. The random bit string can for instance be broadcast by a satellite or over an optical network, or transmitted over an insecure channel between the communicating parties. The proposed schemes require very high bandwidth but can nevertheless be practical. 1 Introduction One of the most important properties of a cryptographic system is a proof of its security under reasonable and general assumptions. However, every design involves a tradeoff between the strength of the security and further important qualities of a cryptosystem, such as efficiency and practicality. The security of all currently used cryp...