Results 1  10
of
37
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 450 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 197 (6 self)
 Add to MetaCart
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
Numbertheoretic constructions of efficient pseudorandom functions
 In 38th Annual Symposium on Foundations of Computer Science
, 1997
"... ..."
Pseudorandom functions revisited: The cascade construction and its concrete security
 Proceedings of the 37th Symposium on Foundations of Computer Science, IEEE
, 1996
"... Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we ..."
Abstract

Cited by 92 (20 self)
 Add to MetaCart
Abstract Pseudorandom function families are a powerful cryptographic primitive, yielding, in particular, simple solutions for the main problems in private key cryptography. Their existence based on general assumptions (namely, the existence of oneway functions) has been established.In this work we investigate new ways of designing pseudorandom function families. The goal is to find constructions that are both efficient and secure, and thus eventually to bring thebenefits of pseudorandom functions to practice.
Oblivious Transfer with Adaptive Queries
 Proc. CRYPTO, Springer LNCS
, 1999
"... . We provide protocols for the following twoparty problem: One party, the sender, has N values and the other party, the receiver, would like to learn k of them, deciding which ones in an adaptive manner (i.e. the ith value may depend on the first i \Gamma 1 values). The sender does not want the rec ..."
Abstract

Cited by 43 (2 self)
 Add to MetaCart
. We provide protocols for the following twoparty problem: One party, the sender, has N values and the other party, the receiver, would like to learn k of them, deciding which ones in an adaptive manner (i.e. the ith value may depend on the first i \Gamma 1 values). The sender does not want the receiver to obtain more than k values. This is a variant of the well known Oblivious Transfer (OT) problem and has applications in protecting privacy in various settings. We present efficient protocols for the problem that require an O(N) computation in the preprocessing stage and fixed computation (independent of k) for each new value the receiver obtains. The online computation involves roughly log N invocations of a 1out2 OT protocol. The protocols are based on a new primitive, sum consistent synthesizers. 1 Introduction Oblivious Transfer (abbrev. OT) refers to several types of twoparty protocols where at the beginning of the protocol one party, the Sender (or sometimes Bob or B), has ...
Zaps and Their Applications
 In 41st FOCS
, 2000
"... A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, ..."
Abstract

Cited by 42 (8 self)
 Add to MetaCart
A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of noninteractive zeroknowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string.
ChosenCiphertext Security via Correlated Products
"... We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction o ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
We initiate the study of onewayness under correlated products. We are interested in identifying necessary and sufficient conditions for a function f and a distribution on inputs (x1,..., xk), so that the function (f(x1),..., f(xk)) is oneway. The main motivation of this study is the construction of publickey encryption schemes that are secure against chosenciphertext attacks (CCA). We show that any collection of injective trapdoor functions that is secure under very natural correlated products can be used to construct a CCAsecure publickey encryption scheme. The construction is simple, blackbox, and admits a direct proof of security. We provide evidence that security under correlated products is achievable by demonstrating that any collection of lossy trapdoor functions, a powerful primitive introduced by Peikert and Waters (STOC ’08), yields a collection of injective trapdoor functions that is secure under the above mentioned natural correlated products. Although we eventually base security under correlated products on lossy trapdoor functions, we argue that the former notion is potentially weaker as a general assumption. Specifically, there is no fullyblackbox construction of lossy trapdoor functions from trapdoor functions that are secure under correlated products.
Distributed PseudoRandom Functions and KDCs
 ADVANCES IN CRYPTOLOGY: EUROCRYPT '99, VOLUME 1592 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorize ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorized subset and receive information which enables him to compute f(x). We require that such a scheme is consistent, i.e. that given an input x all authorized subsets compute the same value f(x). The solutions we present enable the operation of many servers, preventing bottlenecks or single points of failure. There are also no single entities which can compromise the security of the entire network. The solutions can be used to distribute the operation of a Key Distribution Center (KDC). They are far better than the known partitioning to domains or replication solutions to this problem, and are especially suited to handle users of multicast groups.
Computationally private randomizing polynomials and their applications
 IN PROC. 20TH CONFERENCE ON COMPUTATIONAL COMPLEXITY
, 2005
"... Randomizing polynomials allow to represent a function f(x) by a lowdegree randomized mapping ˆf(x, r) whose output distribution on an input x is a randomized encoding of f(x). It is known that any function f in uniform⊕L/poly (and in particular in NC 1) can be efficiently represented by degree3 r ..."
Abstract

Cited by 25 (11 self)
 Add to MetaCart
Randomizing polynomials allow to represent a function f(x) by a lowdegree randomized mapping ˆf(x, r) whose output distribution on an input x is a randomized encoding of f(x). It is known that any function f in uniform⊕L/poly (and in particular in NC 1) can be efficiently represented by degree3 randomizing polynomials. Such a degree3 representation gives rise to an NC 0 4 representation, in which every bit of the output depends on only 4 bits of the input. In this paper, we study the relaxed notion of computationally private randomizing polynomials, where the output distribution of ˆ f(x, r) should only be computationally indistinguishable from a randomized encoding of f(x). We construct degree3 randomizing polynomials of this type for every polynomialtime computable function, assuming the existence of a cryptographic pseudorandom generator (PRG) in uniform⊕L/poly. (The latter assumption is implied by most standard intractability assumptions used in cryptography.) This result is obtained by combining a variant of Yao’s garbled circuit technique with previous “informationtheoretic ” constructions of randomizing polynomials. We then present the following applications: • Relaxed assumptions for cryptography in NC 0. Assuming a PRG in uniform⊕L/poly, the
Secure TwoParty Computation via CutandChoose Oblivious Transfer
 In the 8th TCC, Springer (LNCS 6597
, 2011
"... Protocols for secure twoparty computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of twoparty compu ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
Protocols for secure twoparty computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of twoparty computation secure in the presence of malicious adversaries (where security is proven under the standard simulationbased ideal/real model paradigm for defining security). In this paper, we present a protocol for this task that follows the methodology of using cutandchoose to boost Yao’s protocol to be secure in the presence of malicious adversaries. Relying on specific assumptions (DDH), we construct a protocol that is significantly more efficient and far simpler than the protocol of Lindell and Pinkas (Eurocrypt 2007) that follows the same methodology. We provide an exact, concrete analysis of the efficiency of our scheme and demonstrate that (at least for not very small circuits) our protocol is more efficient than any other known today. secure twoparty computation, malicious adversaries, cutandchoose, concrete effiKeywords: ciency