Results 1  10
of
11
A hardcore predicate for all oneway functions
 In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing
, 1989
"... Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardc ..."
Abstract

Cited by 356 (5 self)
 Add to MetaCart
Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardcore ” predicates b In this paper we show that every oneof functions (permutations) f, discovered in way function, padded to the form f(p,z) = [Blum Micali $21. Such b ( 5) cannot be effi (P,9(X)), llPl / = 11z//, has bY itself a hardcore ciently guessed (substantially better than SO predicate of the same (within a polynomial) 50) given only f(z). Both b, f are computable security. Namely, we prove a conjecture of in polynomial time. [Levin 87, sec. 5.6.21 that the sca1a.r product [Yao 821 transforms any oneway function of boolean vectors p, x is a hardcore of every f into a more complicated one, f*, which has oneway function f(p, x) = (p,g(x)). The rea hardcore predicate. The construction ap sult extends to multiple (up to the logarithm plies the original f to many small pieces of of security) such bits and to any distribution the input to f * just to get one “hardcore ” on the z’s for which f is hard to invert.
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 42 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
The Foundations of Modern Cryptography
, 1998
"... In our opinion, the Foundations of Cryptography are the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. In this essay, we survey some of these paradigms, approaches and techniques as well as some of the fundamental result ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
In our opinion, the Foundations of Cryptography are the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. In this essay, we survey some of these paradigms, approaches and techniques as well as some of the fundamental results obtained using them. Special effort is made in attempt to dissolve common misconceptions regarding these paradigms and results. c flCopyright 1998 by Oded Goldreich. Permission to make copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted. A preliminary version of this essay has appeared in the proceedings of Crypto97 (Springer's Lecture Notes in Computer Science, Vol. 1294). 0 Contents 1 Introduction 2 I Basic Tools 6 2 Central Paradigms 6 2.1 Computati...
A Generalization of Paillier's PublicKey System with Applications to Electronic Voting
 P Y A RYAN
, 2003
"... We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secur ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier's original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct
On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
 Journal of Cryptology
, 2000
"... Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Assuming the inractability of factoring, we show that the output of the exponentiation modulo a composite function fN;g (x) = g x mod N (where N = P \Delta Q) is pseudorandom, even when its input is restricted to be half the size. This result is equivalent to the simultaneous hardness of the upper half of the bits of fN;g , proven by Hastad, Schrift and Shamir. Yet, we supply a different proof that is significantly simpler than the original one. In addition, we suggest a pseudorandom generator which is more efficient than all previously known factoring based pseudorandom generators. Keywords: Modular exponentiation, discrete logarithm, hard core predicates, simultaneous security, pseudorandom generator, factoring assumption. This writeup is based on the Master Thesis of the second author (supervised by the first author). 0 1 Introduction Oneway functions play an extremely important role in modern cryptography. Loosely speaking, these are functions which are easy to evaluate bu...
PseudoRandom Functions and Factoring
 Proc. 32nd ACM Symp. on Theory of Computing
, 2000
"... The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to constru ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
The computational hardness of factoring integers is the most established assumption on which cryptographic primitives are based. This work presents an efficient construction of pseudorandom functions whose security is based on the intractability of factoring. In particular, we are able to construct efficient lengthpreserving pseudorandom functions where each evaluation requires only a (small) constant number of modular multiplications per output bit. This is substantially more efficient than any previous construction of pseudorandom functions based on factoring, and matches (up to a constant factor) the efficiency of the best known factoringbased pseudorandom bit generators.
An Efficient PseudoRandom Generator with Applications to PublicKey Encryption and ConstantRound Multiparty Computation
, 2001
"... We present a pseudorandom bit generator expanding a uniformly random bitstring r of length k/2, where k is the security parameter, into a pseudorandom bitstring of length 2k  log 2 (k) using one modular exponentiation. In contrast to all previous high expansionrate pseudorandom bit genera ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We present a pseudorandom bit generator expanding a uniformly random bitstring r of length k/2, where k is the security parameter, into a pseudorandom bitstring of length 2k  log 2 (k) using one modular exponentiation. In contrast to all previous high expansionrate pseudorandom bit generators, no hashing is necessary. The security of the generator is proved relative to Paillier's composite degree residuosity assumption. As a first application of our pseudorandom bit generator we exploit its e#ciency to optimise Paillier's cryptosystem by a factor of (at least) 2 in both running time and usage of random bits. We then exploit the algebraic properties of the generator to construct an efficient protocol for secure constantround multiparty function evaluation in the cryptographic setting. This construction gives an improvement in communication complexity over previous protocols in the order of nk², where n is the number of participants and k is the security parameter, resulting in a communication complexity of O(nk² C) bits, where C is a Boolean circuit computing the function in question.
ZeroKnowledge Watermark Detection Resistant to Ambiguity Attacks
, 2006
"... A zeroknowledge watermark detector allows an owner to prove to a verifier that an image in question indeed contains the owner’s watermark without revealing much information about the actual watermark. In such a scenario, the owner publishes a committed watermark before watermark detection so as to ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
A zeroknowledge watermark detector allows an owner to prove to a verifier that an image in question indeed contains the owner’s watermark without revealing much information about the actual watermark. In such a scenario, the owner publishes a committed watermark before watermark detection so as to show that she knows the watermark before the detection. However, this does not imply that the owner can prove that she knows the watermark before the work appeared in the public. One well known counter example is the invertibility/ambiguity attacks where an adversary can create an ambiguous situation by deriving a forged watermark from a published work, and commits the forged watermark. Furthermore, the adversary may derive a watermark from existing nonwatermarked images in the public domain and later claim ownership of them. One solution is to enforce certain constraints on the valid watermarks. In this paper we propose a zeroknowledge watermark detector that prevents the owner from cheating by ambiguity attacks. In addition, it allows the owner to publish a large number of works with different watermarks, while committing only one secret.
On the possibility of noninvertible watermarking schemes
 In International Workshop on Digital Watermarking, volume 3200 of LNCS
, 2004
"... Abstract. Recently, there are active discussions on the possibility of noninvertible watermarking scheme. A noninvertible scheme prevents an attacker from deriving a valid watermark from a cover work. Recent results suggest that it is difficult to design a provably secure noninvertible scheme. In ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. Recently, there are active discussions on the possibility of noninvertible watermarking scheme. A noninvertible scheme prevents an attacker from deriving a valid watermark from a cover work. Recent results suggest that it is difficult to design a provably secure noninvertible scheme. In contrast, in this paper, we show that it is possible. We give a scheme based on a cryptographically secure pseudorandom number generator (CSPRNG) and show that it is secure with respect to wellaccepted notion of security. We employ the spread spectrum method as the underlying watermarking scheme to embed the watermark. The parameters chosen for the underlying scheme give reasonable robustness, false alarm and distortion. We prove the security by showing that, if there is a successful attacker, then there exists a probabilistic polynomialtime algorithm that can distinguish the uniform distribution from sequences generated by the CSPRNG, and thus contradicts the assumption that the CSPRNG is secure. Furthermore, in our scheme the watermark is statistically independent from the original work, which shows that it is not necessary to enforce a relationship between them to achieve noninvertibility. 1