Results 1  10
of
24
Entity Authentication and Key Distribution
, 1993
"... Entity authentication and key distribution are central cryptographic problems in distributed computing  but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these p ..."
Abstract

Cited by 550 (13 self)
 Add to MetaCart
Entity authentication and key distribution are central cryptographic problems in distributed computing  but up until now, they have lacked even a meaningful definition. One consequence is that incorrect and inefficient protocols have proliferated. This paper provides the first treatment of these problems in the complexitytheoretic framework of modern cryptography. Addressed in detail are two problems of the symmetric, twoparty setting: mutual authentication and authenticated key exchange. For each we present a definition, protocol, and proof that the protocol meets its goal, assuming the (minimal) assumption of pseudorandom function. When this assumption is appropriately instantiated, the protocols given are practical and efficient.
Optimal Asymmetric Encryption – How to Encrypt with RSA
, 1995
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme ..."
Abstract

Cited by 227 (20 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. &quot; Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows &quot; the corresponding plaintextssuch ascheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
Free Bits, PCPs and NonApproximability  Towards Tight Results
, 1996
"... This paper continues the investigation of the connection between proof systems and approximation. The emphasis is on proving tight nonapproximability results via consideration of measures like the "free bit complexity" and the "amortized free bit complexity" of proof systems. ..."
Abstract

Cited by 208 (39 self)
 Add to MetaCart
This paper continues the investigation of the connection between proof systems and approximation. The emphasis is on proving tight nonapproximability results via consideration of measures like the "free bit complexity" and the "amortized free bit complexity" of proof systems.
A forwardsecure digital signature scheme
, 1999
"... Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. Thi ..."
Abstract

Cited by 202 (14 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the FiatShamir and OngSchnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient. 1
Knowledge, probability, and adversaries
 Journal of the ACM
, 1993
"... Abstract: What should it mean for an agent toknowor believe an assertion is true with probability:99? Di erent papers [FH88, FZ88a, HMT88] givedi erent answers, choosing to use quite di erent probability spaces when computing the probability that an agent assigns to an event. We showthat each choice ..."
Abstract

Cited by 82 (24 self)
 Add to MetaCart
(Show Context)
Abstract: What should it mean for an agent toknowor believe an assertion is true with probability:99? Di erent papers [FH88, FZ88a, HMT88] givedi erent answers, choosing to use quite di erent probability spaces when computing the probability that an agent assigns to an event. We showthat each choice can be understood in terms of a betting game. This betting game itself can be understood in terms of three types of adversaries in uencing three di erent aspects of the game. The rst selects the outcome of all nondeterministic choices in the system� the second represents the knowledge of the agent's opponent in the betting game (this is the key place the papers mentioned above di er) � the third is needed in asynchronous systems to choose the time the bet is placed. We illustrate the need for considering all three types of adversaries with a number of examples. Given a class of adversaries, we show howto assign probability spaces to agents in a way most appropriate for that class, where \most appropriate " is made precise in terms of this betting game. We conclude by showing how di erent assignments of probability spaces (corresponding to di erent opponents) yield di erent levels of guarantees in probabilistic coordinated attack.
Perfect zeroknowledge in constant rounds
 In Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing
, 1990
"... Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zeroknowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded nu ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
(Show Context)
Rafail Ostrovsky z Quadratic residuosity and graph isomorphism are classic problems and the canonical examples of zeroknowledge languages. However, despite much research e ort, all previous zeroknowledge proofs for them required either cryptography (and thus unproven assumptions) or an unbounded number of rounds of message exchange. For both (and similar) languages, we exhibit zeroknowledge proofs that require 5 rounds and no unproven assumptions. Our solution is essentially optimal, in this setting, due to a recent lowerbound argument of Goldreich and Krawzcyk. 1
RoundOptimal ZeroKnowledge Arguments Based on any OneWay Function
, 1997
"... We fill a gap in the theory of zeroknowledge protocols by presenting NParguments that achieve negligible error probability and computational zeroknowledge in four rounds of interaction, assuming only the existence of a oneway function. This result is optimal in the sense that four rounds and a o ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
We fill a gap in the theory of zeroknowledge protocols by presenting NParguments that achieve negligible error probability and computational zeroknowledge in four rounds of interaction, assuming only the existence of a oneway function. This result is optimal in the sense that four rounds and a oneway function are each individually necessary to achieve a negligible error zeroknowledge argument for NP.
The complexity of decision versus search
 SIAM Journal on Computing
, 1994
"... A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not red ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
(Show Context)
A basic question about NP is whether or not search reduces in polynomial time to decision. We indicate that the answer is negative: under a complexity assumption (that deterministic and nondeterministic doubleexponential time are unequal) we construct a language in NP for which search does not reduce to decision. These ideas extend in a natural way to interactive proofs and program checking. Under similar assumptions we present languages in NP for which it is harder to prove membership interactively than it is to decide this membership, and languages in NP which are not checkable. Keywords: NPcompleteness, selfreducibility, interactive proofs, program checking, sparse sets,
Identification protocols secure against reset attacks
 Adv. in Cryptology — Eurocrypt 2001, LNCS
, 2001
"... Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of the user. These protocols are suitable for use by devices (like smartcards) which when under adversary control may not be able to reliably maintain their internal state between invocations. 1
Randomness, Interactive Proofs and . . .
 APPEARS IN THE UNIVERSAL TURING MACHINE: A HALFCENTURY SURVEY, R. HERKEN ED.
, 1987
"... Recent approaches to the notions of randomness and proofs are surveyed. The new notions differ from the traditional ones in being subjective to the capabilities of the observer rather than reflecting "ideal " entities. The new notion of randomness regards probability distributions as equal ..."
Abstract

Cited by 32 (7 self)
 Add to MetaCart
(Show Context)
Recent approaches to the notions of randomness and proofs are surveyed. The new notions differ from the traditional ones in being subjective to the capabilities of the observer rather than reflecting "ideal " entities. The new notion of randomness regards probability distributions as equal if they cannot be told apart by efficient procedures. This notion is constructive and is suited for many applications. The new notion of a proof allows the introduction of the notion of zeroknowledge proofs: convincing arguments which yield nothing but the validity of the assertion. The new approaches to randomness and proofs are based on basic concepts and results from the theory of resourcebounded computation. In order to make the survey as accessible as possible, we have presented elements of the theory of resource bounded computation (but only to the extent required for the description of the new approaches). This survey is not intended to provide an account of the more traditional approaches to randomness (e.g. Kolmogorov Complexity) and proofs (i.e. traditional logic systems). Whenever these approaches are described it is only in order to confront them with the new approaches.