Results 1  10
of
37
ConstantRound Oblivious Transfer in the Bounded Storage Model
, 2004
"... We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security is guaranteed against any malicious party that remembers almost all of the string R.
Smooth Projective Hashing and TwoMessage Oblivious Transfer
 In EUROCRYPT 2005, SpringerVerlag (LNCS 3494
, 2005
"... Abstract. We present a general framework for constructing twomessage oblivious transfer protocols using a modification of Cramer and Shoup’s notion of smooth projective hashing (2002). Our framework is actually an abstraction of the twomessage oblivious transfer protocols of Naor and Pinkas (2001) ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
Abstract. We present a general framework for constructing twomessage oblivious transfer protocols using a modification of Cramer and Shoup’s notion of smooth projective hashing (2002). Our framework is actually an abstraction of the twomessage oblivious transfer protocols of Naor and Pinkas (2001) and Aiello et. al. (2001), whose security is based on the Decisional Diffie Hellman Assumption. In particular, this framework gives rise to two new oblivious transfer protocols. The security of one is based on the N’thResiduosity Assumption, and the security of the other is based on both the Quadratic Residuosity Assumption and the Extended Riemann Hypothesis. When using smooth projective hashing in this context, we must deal with maliciously chosen smooth projective hash families. This raises new technical difficulties that did not arise in previous applications, and in particular it is here that the Extended Riemann Hypothesis comes into play. Similar to the previous twomessage protocols for oblivious transfer, our constructions give a security guarantee which is weaker than the traditional, simulation based, definition of security. Nevertheless, the security notion that we consider is nontrivial and seems to be meaningful for some applications in which oblivious transfer is used in the presence of malicious adversaries. 1
Intrusionresilience via the BoundedStorage Model
 In Theory of Cryptography Conference, volume 3876 of LNCS
, 2006
"... Abstract. We introduce a new method of achieving intrusionresilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security o ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Abstract. We introduce a new method of achieving intrusionresilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security of our protocols relies on the assumption that the amount of data that the adversary can transfer from the infected machine is limited (however, we allow the adversary to perform any efficient computation on user’s private data, before deciding on what to transfer). We focus on two cryptographic tasks, namely: sessionkey generation and entity authentication. Our method is based on the results from the BoundedStorage Model. 1
Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval
 In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract

Cited by 27 (4 self)
 Add to MetaCart
Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lowerbound (of at least n bits). This demonstrates the feasibility of basing singleserver private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1outofn Oblivious Transfer protocol with communication complexity strictly less than n based on any oneway trapdoor permutation. 1
Oblivious transfer in the bounded storage model
 In Advances in Cryptology  CRYPTO 2001
, 2001
"... Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any rece ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any receiver who can store γn bits, γ<1. Our work improves the work of CCM [15] in two ways. First, the CCM protocol requires the sender and receiver to store O(n c) bits, c ∼ 2/3. We give a similar but more efficient protocol that just requires the sender and receiver to store O ( √ kn) bits, where k is a security parameter. Second, the basic CCM Protocol was proved in [15] to guarantee that a dishonest receiver who can store O(n) bits succeeds with probability at most O(n −d), d ∼ 1/3, although repitition of the protocol can make this probability of cheating exponentially small [20]. Combining the methodologies of [24] and [15], we prove that in our protocol, a dishonest storagebounded receiver succeeds with probability only 2 −O(k) , without repitition of the protocol. Our results answer an open problem raised by CCM in the affirmative. 1
Cryptography In the Bounded QuantumStorage Model
 IN 46TH ANNUAL IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS
, 2005
"... We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, w ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least n/2 in order to break the protocol, where n is the number of qubits transmitted. This is in sharp contrast to the classical boundedmemory model, where we can only tolerate adversaries with memory of size quadratic in honest players’ memory size. Our protocols are efficient, noninteractive and can be implemented using today’s technology. On the technical side, a new entropic uncertainty relation involving minentropy is established.
Tight Security Proofs for the BoundedStorage Model
 In Proceedings of the 34th Annual ACM Symposium on Theory of Computing
, 2002
"... In the boundedstorage model for informationtheoretically secure encryption and keyagreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by s bits, even if her computational power is unlimited. Assume that a random tbit ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
In the boundedstorage model for informationtheoretically secure encryption and keyagreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by s bits, even if her computational power is unlimited. Assume that a random tbit string R is either publicly available (e.g. the signal of a deep space radio source) or broadcast by one of the legitimate parties. If s < t, the adversary can store only partial information about R. The legitimate sender Alice and receiver Bob, sharing a short secret key K initially, can therefore potentially generate a very long nbit onetime pad X with n jKj about which the adversary has essentially no information, thus at rst glance apparently contradicting Shannon's bound on the key size of a perfect cipher.
Optimal reductions between oblivious transfers using interactive hashing
 Advances in Cryptology  Crypto 2006, 201–521
, 2006
"... Abstract. We present an asymptotically optimal reduction of oneoutoftwo String Oblivious Transfer to oneoutoftwo Bit Oblivious Transfer using Interactive Hashing in conjunction with Privacy Amplification. Interactive Hashing is used as in an innovative way to test the receiver’s adherence to th ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We present an asymptotically optimal reduction of oneoutoftwo String Oblivious Transfer to oneoutoftwo Bit Oblivious Transfer using Interactive Hashing in conjunction with Privacy Amplification. Interactive Hashing is used as in an innovative way to test the receiver’s adherence to the protocol. We show that (1 + ǫ)k uses of Bit OT suffice to implement String OT for kbit strings. Our protocol represents a twofold improvement over the best constructions in the literature and is asymptotically optimal. We then show that our construction can also accommodate weaker versions of Bit OT obtaining in all three cases a significantly lower expansion factor compared to previous constructions. Besides increasing efficiency, our constructions impose no constraints on the 2universal families of Hash Functions used for Privacy Amplification. Of independent interest, our reduction illustrates the power of Interactive Hashing as an ingredient in the design of cryptographic protocols.
A new interactive hashing theorem
 In Proceedings of the 22nd Annual IEEE Conference on Computational Complexity
, 2007
"... Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zeroknowledg ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
Interactive hashing, introduced by Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92), plays an important role in many cryptographic protocols. In particular, it is a major component in all known constructions of statistically hiding and computationally binding commitment schemes and of zeroknowledge arguments based on general oneway permutations and on oneway functions. Interactive hashing with respect to a oneway permutation f, is a twoparty protocol that enables a sender that knows y = f(x) to transfer a random hash z = h(y) to a receiver. The receiver is guaranteed that the sender is committed to y (in the sense that it cannot come up with x and x ′ such that f(x) � = f(x ′), but h(f(x)) = h(f(x ′)) = z). The sender is guaranteed that the receiver does not learn any additional information on y. In particular, when h is a twotoone hash function, the receiver does not learn which of the two preimages {y, y ′ } = h −1 (z) is the one the sender can invert with respect to f. This paper reexamines the notion of interactive hashing. We give an alternative proof for the Naor et al. protocol, which seems to us significantly simpler and more intuitive than the original one. Moreover, the new proof achieves much better parameters (in terms of how security
Error correction in the bounded storage model
 In 2nd Theory of Cryptography Conference — TCC 2005, volume 3378 of LNCS
, 2005
"... Abstract. We initiate a study of Maurer’s bounded storage model (JoC, 1992) in presence of transmission errors and perhaps other types of errors that cause different parties to have inconsistent views of the public random source. Such errors seem inevitable in any implementation of the model. All pr ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. We initiate a study of Maurer’s bounded storage model (JoC, 1992) in presence of transmission errors and perhaps other types of errors that cause different parties to have inconsistent views of the public random source. Such errors seem inevitable in any implementation of the model. All previous schemes and protocols in the model assume a perfectly consistent view of the public source from all parties, and do not function correctly in presence of errors, while the privatekey encryption scheme of Aumann, Ding and Rabin (IEEE IT, 2002) can be extended to tolerate only a O(1 / log (1/ε)) fraction of errors, where ε is an upper bound on the advantage of an adversary. In this paper, we provide a general paradigm for constructing secure and errorresilient privatekey cryptosystems in the bounded storage model that tolerate a constant fraction of errors, and attain the near optimal parameters achieved by Vadhan’s construction (JoC, 2004) in the errorless case. In particular, we show that any local fuzzy extractor yields a secure and errorresilient cryptosystem in the model, in analogy to the result of Lu (JoC, 2004) that any local strong extractor yields a secure cryptosystem in the errorless case, and construct efficient local fuzzy extractors by extending Vadhan’s samplethenextract paradigm. The main ingredients of our constructions are averaging samplers (Bellare and Rompel, FOCS ’94), randomness extractors (Nisan and Zuckerman, JCSS, 1996), error correcting codes, and fuzzy extractors (Dodis, Reyzin and Smith, EUROCRYPT ’04). 1