Results 1  10
of
52
Intrusionresilience via the BoundedStorage Model
 In Theory of Cryptography Conference, volume 3876 of LNCS
, 2006
"... Abstract. We introduce a new method of achieving intrusionresilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security o ..."
Abstract

Cited by 41 (4 self)
 Add to MetaCart
Abstract. We introduce a new method of achieving intrusionresilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security of our protocols relies on the assumption that the amount of data that the adversary can transfer from the infected machine is limited (however, we allow the adversary to perform any efficient computation on user’s private data, before deciding on what to transfer). We focus on two cryptographic tasks, namely: sessionkey generation and entity authentication. Our method is based on the results from the BoundedStorage Model. 1
ConstantRound Oblivious Transfer in the Bounded Storage Model
, 2004
"... We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, sec ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security is guaranteed against any malicious party that remembers almost all of the string R.
Smooth Projective Hashing and TwoMessage Oblivious Transfer. Cryptology ePrint Archive, Report 2007/118. Preliminary version
 in EUROCRYPT 2005, SpringerVerlag (LNCS 3494
, 2005
"... Abstract. We present a general framework for constructing twomessage oblivious transfer protocols using a modication of Cramer and Shoup's notion of smooth projective hashing (2002). Our framework is actually an abstraction of the twomessage oblivious transfer protocols of Naor and Pinkas (20 ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
Abstract. We present a general framework for constructing twomessage oblivious transfer protocols using a modication of Cramer and Shoup's notion of smooth projective hashing (2002). Our framework is actually an abstraction of the twomessage oblivious transfer protocols of Naor and Pinkas (2001) and Aiello et al. (2001), whose security is based on the Decisional Die Hellman Assumption. In particular, we give two new oblivious transfer protocols. The security of one is based on the N 'thResiduosity Assumption, and the security of the other is based on both the Quadratic Residuosity Assumption and the Extended Riemann Hypothesis. Our security guarantees are not simulation based, and are similar to those of previous constructions. When using smooth projective hashing in this context, we must deal with maliciously chosen smooth projective hash families. This raises new technical diculties, and in particular it is here that the Extended Riemann Hypothesis comes into play. 1
Oneway trapdoor permutations are sufficient for nontrivial singleserver private information retrieval
 In Proc. of EUROCRYPT ’00
, 2000
"... Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We show that general oneway trapdoor permutations are sufficient to privately retrieve an entry from a database of size n with total communication complexity strictly less than n. More specifically, we present a protocol in which the user sends O(K 2) bits and the server sends n − cn bits (for any constant c), where K is the security parameter K of the trapdoor permutations. Thus, for sufficiently large databases (e.g., when K = n ɛ for some small ɛ) our construction breaks the informationtheoretic lowerbound (of at least n bits). This demonstrates the feasibility of basing singleserver private information retrieval on general complexity assumptions. An important implication of our result is that we can implement a 1outofn Oblivious Transfer protocol with communication complexity strictly less than n based on any oneway trapdoor permutation. 1
Cryptography In the Bounded QuantumStorage Model
 IN 46TH ANNUAL IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE (FOCS
, 2005
"... We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, w ..."
Abstract

Cited by 31 (7 self)
 Add to MetaCart
(Show Context)
We initiate the study of twoparty cryptographic primitives with unconditional security, assuming that the adversary’s quantum memory is of bounded size. We show that oblivious transfer and bit commitment can be implemented in this model using protocols where honest parties need no quantum memory, whereas an adversarial player needs quantum memory of size at least n/2 in order to break the protocol, where n is the number of qubits transmitted. This is in sharp contrast to the classical boundedmemory model, where we can only tolerate adversaries with memory of size quadratic in honest players’ memory size. Our protocols are efficient, noninteractive and can be implemented using today’s technology. On the technical side, a new entropic uncertainty relation involving minentropy is established.
Oblivious transfer in the bounded storage model
 In Advances in Cryptology  CRYPTO 2001
, 2001
"... Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any rece ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any receiver who can store γn bits, γ<1. Our work improves the work of CCM [15] in two ways. First, the CCM protocol requires the sender and receiver to store O(n c) bits, c ∼ 2/3. We give a similar but more efficient protocol that just requires the sender and receiver to store O ( √ kn) bits, where k is a security parameter. Second, the basic CCM Protocol was proved in [15] to guarantee that a dishonest receiver who can store O(n) bits succeeds with probability at most O(n −d), d ∼ 1/3, although repitition of the protocol can make this probability of cheating exponentially small [20]. Combining the methodologies of [24] and [15], we prove that in our protocol, a dishonest storagebounded receiver succeeds with probability only 2 −O(k) , without repitition of the protocol. Our results answer an open problem raised by CCM in the affirmative. 1
Tight Security Proofs for the BoundedStorage Model
 In Proceedings of the 34th Annual ACM Symposium on Theory of Computing
, 2002
"... In the boundedstorage model for informationtheoretically secure encryption and keyagreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by s bits, even if her computational power is unlimited. Assume that a random ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
In the boundedstorage model for informationtheoretically secure encryption and keyagreement one can prove the security of a cipher based on the sole assumption that the adversary's storage capacity is bounded, say by s bits, even if her computational power is unlimited. Assume that a random tbit string R is either publicly available (e.g. the signal of a deep space radio source) or broadcast by one of the legitimate parties. If s < t, the adversary can store only partial information about R. The legitimate sender Alice and receiver Bob, sharing a short secret key K initially, can therefore potentially generate a very long nbit onetime pad X with n jKj about which the adversary has essentially no information, thus at rst glance apparently contradicting Shannon's bound on the key size of a perfect cipher.
Optimal reductions between oblivious transfers using interactive hashing
, 2006
"... We present an asymptotically optimal reduction of oneoutoftwo ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We present an asymptotically optimal reduction of oneoutoftwo
Efficient koutofn oblivious transfer schemes with adaptive and nonadaptive queries
 Public Key Cryptography 2005
, 2005
"... Abstract: Oblivious transfer is an important cryptographic protocol in various security applications. For example, in online transactions, a koutofn oblivious transfer scheme allows a buyer to privately choose k out of n digital goods from a merchant without learning information about other n−k ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract: Oblivious transfer is an important cryptographic protocol in various security applications. For example, in online transactions, a koutofn oblivious transfer scheme allows a buyer to privately choose k out of n digital goods from a merchant without learning information about other n−k goods. In this paper, we propose several efficient tworound koutofn oblivious transfer schemes, in which the receiver R sends O(k) messages to the sender S, andS sends O(n) messages back to R. The schemes provide unconditional security for either sender or receiver. The computational security for the other side is based on the Decisional DiffieHellman (DDH) or ChosenTarget Computational DiffieHellman (CTCDH) problems. Our schemes have the nice property of universal parameters, that is, each pair of R and S need not hold any secret before performing the protocol. The system parameters can be used by all senders and receivers without any trapdoor specification. In some cases, our OT k n schemes are the most efficient ones in terms of the communication cost, either in rounds or the number of messages. Moreover, one of our schemes is extended to an adaptive oblivious transfer scheme. In that scheme, S sends O(n) messages to R in one round in the commitment phase. For each query of R, onlyO(1) messages are exchanged and O(1) operations are performed. The preliminary version of this paper was published at PKC ’05 [Chu and Tzeng 2005].
OneWay Permutations, Interactive Hashing and StatisticallyHiding Commitments
 In S. Vadhan (Ed.): Theory of Cryptography (TCC) 2007, LNCS 4392
, 2007
"... Abstract. We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n logn) lower bound on the round complexity of a computational form of interactive hashing, which has been used t ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We present a lower bound on the round complexity of a natural class of blackbox constructions of statistically hiding commitments from oneway permutations. This implies a Ω ( n logn) lower bound on the round complexity of a computational form of interactive hashing, which has been used to construct statistically hiding commitments (and related primitives) from various classes of oneway functions, starting with the work of Naor, Ostrovsky, Venkatesan and Yung (J. Cryptology, 1998). Our lower bound matches the round complexity of the protocol studied by Naor et al.