Results 1  10
of
16
Entity Authentication and Key Distribution
, 1993
"... Entity authentication and key distribution are central cryptographic problems in distributed computing  but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these p ..."
Abstract

Cited by 463 (13 self)
 Add to MetaCart
Entity authentication and key distribution are central cryptographic problems in distributed computing  but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these problems in the complexitytheoretic framework of modern cryptography. Addressed in detail are two problems of the symmetric, twoparty setting: mutual authentication and authenticated key exchange. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming the (minimal) assumption of pseudorandom function. When this assumption is appropriately instantiated, the protocols given are practical and efficient.
Optimal Asymmetric Encryption – How to Encrypt with RSA
, 1995
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme ..."
Abstract

Cited by 204 (18 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. " Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows " the corresponding plaintextssuch ascheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
A forwardsecure digital signature scheme
, 1999
"... Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. Thi ..."
Abstract

Cited by 175 (13 self)
 Add to MetaCart
Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the FiatShamir and OngSchnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient. 1
Knowledge, probability, and adversaries
 Journal of the ACM
, 1993
"... Abstract: What should it mean for an agent toknowor believe an assertion is true with probability:99? Di erent papers [FH88, FZ88a, HMT88] givedi erent answers, choosing to use quite di erent probability spaces when computing the probability that an agent assigns to an event. We showthat each choice ..."
Abstract

Cited by 72 (24 self)
 Add to MetaCart
Abstract: What should it mean for an agent toknowor believe an assertion is true with probability:99? Di erent papers [FH88, FZ88a, HMT88] givedi erent answers, choosing to use quite di erent probability spaces when computing the probability that an agent assigns to an event. We showthat each choice can be understood in terms of a betting game. This betting game itself can be understood in terms of three types of adversaries in uencing three di erent aspects of the game. The rst selects the outcome of all nondeterministic choices in the system� the second represents the knowledge of the agent's opponent in the betting game (this is the key place the papers mentioned above di er) � the third is needed in asynchronous systems to choose the time the bet is placed. We illustrate the need for considering all three types of adversaries with a number of examples. Given a class of adversaries, we show howto assign probability spaces to agents in a way most appropriate for that class, where \most appropriate " is made precise in terms of this betting game. We conclude by showing how di erent assignments of probability spaces (corresponding to di erent opponents) yield di erent levels of guarantees in probabilistic coordinated attack.
Perfect zeroknowledge in constant rounds
 In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing
, 1990
"... Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zeroknowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded nu ..."
Abstract

Cited by 36 (4 self)
 Add to MetaCart
Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zeroknowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded number of rounds of message exchange. For both (and similar) languages, we exhibit zeroknowledge proofs that require 5 rounds and no unproven assumptions. Our solution is essentially optimal, in this setting, due to a recent lowerbound argument of Goldreich and Krawzcyk. 1
The complexity of decision versus search
 SIAM Journal on Computing
, 1994
"... A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not red ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NPcompleteness, selfreducibility, interactive proofs, program checking, sparse sets,
Randomness, Interactive Proofs and . . .
 APPEARS IN THE UNIVERSAL TURING MACHINE: A HALFCENTURY SURVEY, R. HERKEN ED.
, 1987
"... Recent approaches to the notions of randomness and proofs are surveyed. The new notions differ from the traditional ones in being subjective to the capabilities of the observer rather than reflecting "ideal " entities. The new notion of randomness regards probability distributions as equal if they c ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
Recent approaches to the notions of randomness and proofs are surveyed. The new notions differ from the traditional ones in being subjective to the capabilities of the observer rather than reflecting "ideal " entities. The new notion of randomness regards probability distributions as equal if they cannot be told apart by efficient procedures. This notion is constructive and is suited for many applications. The new notion of a proof allows the introduction of the notion of zeroknowledge proofs: convincing arguments which yield nothing but the validity of the assertion. The new approaches to randomness and proofs are based on basic concepts and results from the theory of resourcebounded computation. In order to make the survey as accessible as possible, we have presented elements of the theory of resource bounded computation (but only to the extent required for the description of the new approaches). This survey is not intended to provide an account of the more traditional approaches to randomness (e.g. Kolmogorov Complexity) and proofs (i.e. traditional logic systems). Whenever these approaches are described it is only in order to confront them with the new approaches.
Identification protocols secure against reset attacks
 Adv. in Cryptology — Eurocrypt 2001, LNCS
, 2001
"... Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of the user. These protocols are suitable for use by devices (like smartcards) which when under adversary control may not be able to reliably maintain their internal state between invocations. 1
Minimum Resource ZeroKnowledge Proofs
 In 30th Annual Symposium on Foundations of Computer Science
, 1989
"... ) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zeroknowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
) Joe Kilian Silvio Micali y Rafail Ostrovsky z Abstract We consider several resources relating to zeroknowledge protocols: The number of envelopes used in the protocol, the number of oblivious transfers protocols executed during the protocol, and the total amount of communication required by the protocol. We show that after a preprocessing stage consisting of O(k) executions of Oblivious Transfer, any polynomial number of NPtheorems of any polysize can be proved noninteractively and in zeroknowledge, based on the existence of any oneway function, so that the probability of accepting a false theorem is less then 1 2 k . 1 Minimizing Envelopes 1.1 Envelopes as a resource. [GMR] puts forward the somewhat paradoxical notion of a zeroknowledge proof, and exemplifies it for a few special classes of assertions. The introduction of ideal commitment mechanisms, known as envelopes, allows us to achieve greater generality. Proofs of any NP statements can be accomplished in perfe...
OneWay Functions, Hard on Average Problems, and Statistical ZeroKnowledge Proofs (Extended Abstract)
 IN PROCEEDINGS OF THE 6TH ANNUAL STRUCTURE IN COMPLEXITY THEORY CONFERENCE
, 1991
"... In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one. ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
In this paper, we study connections among oneway functions, hard on the average problems, and statistical zeroknowledge proofs. In particular, we show how these three notions are related and how the third notion can be better characterized, assuming the first one.