Results 1 
4 of
4
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 450 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Bit Commitment Using PseudoRandomness
 Journal of Cryptology
, 1991
"... We show how a pseudorandom generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communicat ..."
Abstract

Cited by 234 (16 self)
 Add to MetaCart
We show how a pseudorandom generator can provide a bit commitment protocol. We also analyze the number of bits communicated when parties commit to many bits simultaneously, and show that the assumption of the existence of pseudorandom generators suffices to assure amortized O(1) bits of communication per bit commitment.
PublicKey Cryptography and Password Protocols: The MultiUser Case
 In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security
, 1999
"... The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in whi ..."
Abstract

Cited by 31 (0 self)
 Add to MetaCart
The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: ffl Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the twouser case. ffl Propose a new definition of security for the multiuser case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. ffl Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multiuser case. We expose a weakness in their revised definition. 1
Immunizing Encryption Schemes from Decryption Errors
 In Eurocrypt 2004, SpringerVerlag (LNCS 3027
, 2004
"... We provide methods for transforming an encryption scheme susceptible to decryption errors into one that is immune to these errors. Immunity to decryption errors is vital when constructing nonmalleable and chosen ciphertext secure encryption schemes via current techniques; in addition, it may help ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We provide methods for transforming an encryption scheme susceptible to decryption errors into one that is immune to these errors. Immunity to decryption errors is vital when constructing nonmalleable and chosen ciphertext secure encryption schemes via current techniques; in addition, it may help defend against certain cryptanalytic techniques, such as the attack of Proos [36] on the NTRU scheme.