Results 21  30
of
149
Noninteractive Private Auctions
, 2001
"... We describe a new auction protocol that enjoys the following properties: the biddings are submitted noninteractively and no information beyond the result is disclosed. The protocol is efficient for a logarithmic number of players. Our solution uses a semitrusted third party T who learns no informa ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
We describe a new auction protocol that enjoys the following properties: the biddings are submitted noninteractively and no information beyond the result is disclosed. The protocol is efficient for a logarithmic number of players. Our solution uses a semitrusted third party T who learns no information provided that he does not collude with any participant. The robustness against active cheating players is achieved through an extra mechanism for fair encryption of a bit which is of independent interest. The scheme is based on homomorphic encryption but differs from general techniques of secure circuit evaluation by taking into account the level of each gate and allowing efficient computation of unbounded logical gates. In a scenario with a small numbers of players, we believe that our work may be of practical significance, especially for electronic transactions.
Simulation in quasipolynomial time, and its application to protocol composition
 In EUROCRYPT
, 2003
"... Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concur ..."
Abstract

Cited by 37 (10 self)
 Add to MetaCart
Abstract. We propose a relaxation of zeroknowledge, by allowing the simulator to run in quasipolynomial time. We show that protocols satisfying this notion can be constructed in settings where the standard definition is too restrictive. Specifically, we construct constantround straightline concurrent quasipolynomial time simulatable arguments and show that such arguments can be used in advanced composition operations without any setup assumptions. Our protocols rely on slightly strong, but standard type assumptions (namely the existence of onetoone oneway functions secure against subexponential circuits). 1
New Generation of Secure and Practical RSAbased Signatures
, 1996
"... For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessar ..."
Abstract

Cited by 36 (1 self)
 Add to MetaCart
For most digital signature schemes used in practice, such as ISO9796/RSA or DSA, it has only been shown that certain plausible cryptographic assumptions, such as the difficulty of factoring integers, computing discrete logarithms or the collisionintractability of certain hashfunctions are necessary for the security of the scheme, while their sufficiency is, strictly speaking, an open question. A clear advantage of such schemes over many signature schemes with security proven relative to such common cryptographic assumptions, is their efficiency: as a result of their relatively weak requirements regarding computation, bandwidth and storage, these schemes have so far beaten proven secure schemes in practice. Our aim is to contribute to the bridging of the gap that seems to exist between the theory and practice of digital signature schemes. We present a digital signature that offers both proven security and practical value. More precisely, under an appropriate assumption about RSA, the ...
Compliance defects in public key cryptography
 in Proceedings of the USENIX Technical Conference
, 1996
"... Publickey cryptographyhaslowinfrastructural overhead because publickey users bear a substantial but hidden administrative burden. A publickey security system trusts its users to validate each others ' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
Publickey cryptographyhaslowinfrastructural overhead because publickey users bear a substantial but hidden administrative burden. A publickey security system trusts its users to validate each others ' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but publickey security systems lack a centralized infrastructure for enforcing users ' discipline. A compliance defect in a cryptosystem is such a rule of operation that is both di cult to follow and unenforceable. This paper presents ve compliance defects that are inherent in publickey cryptography � these defects make publickey cryptography more suitable for servertoserver security than for desktop applications. 1
Can D.S.A. be Improved?  Complexity TradeOffs with the Digital Signature Standard
, 1995
"... The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtedly, many applications will include this standard in the future and thus, the foreseen domination ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
The Digital Signature Algorithm (DSA) was proposed in 1991 by the US National Institute of Standards and Technology to provide an appropriate core for applications requiring digital signatures. Undoubtedly, many applications will include this standard in the future and thus, the foreseen domination of DSA as a legal certification tool is su#ciently important to focus research endeavours on the suitability of this scheme to various situations. In this paper, we present six new DSAbased protocols for:  Performing a quick batchverification of n signatures. The proposed scheme allows to make the economy of 3(n1) log 2 (q) 480n modular multiplications.
Strengthening EPC Tags Against Cloning
 In WiSe ’05: Proceedings of the 4th ACM workshop on Wireless security
, 2005
"... Abstract. The EPC (Electronic Product Code) tag is a form of RFID (RadioFrequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, h ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
Abstract. The EPC (Electronic Product Code) tag is a form of RFID (RadioFrequency IDentification) device that is emerging as a successor to the printed barcode. Like barcodes, EPC tags emit static codes that serve to identify and track shipping containers and individual objects. EPC tags, though, have a powerful benefit: they communicate in an automated, wireless manner. Some commercial segments, like the pharmaceutical industry, are coming to view EPC tags as an anticounterfeiting tool. EPC tags are a potent mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. They are poor authenticators, though. EPC tags are vulnerable to elementary cloning and counterfeiting attacks. In this paper, we present techniques that strengthen the resistance of EPC tags to elementary cloning attacks. Our proposals are compliant with EPCglobal Class1 Generation2 UHF tags, which are likely to predominate in supply chains. We show how to leverage PINbased accesscontrol and privacy enhancement mechanisms in EPC tags to achieve what may be viewed as crude challengeresponse authentication. Our techniques can even strengthen EPC tags against cloning in environments with untrusted reading devices.
Proofs of Storage from Homomorphic Identification Protocols
"... Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication schemes where ‘tags ’ on multiple messages can be homomorphically combined to yield a ‘tag ’ on any linear combination of these messages. We provide a framework for building publickey HLAs from any identification protocol satisfying certain homomorphic properties. We then show how to turn any publickey HLA into a publiclyverifiable PoS with communication complexity independent of the file length and supporting an unbounded number of verifications. We illustrate the use of our transformations by applying them to a variant of an identification protocol by Shoup, thus obtaining the first unboundeduse PoS based on factoring (in the random oracle model). 1
Efficient and NonMalleable Proofs of Plaintext Knowledge and Applications (Extended Abstract)
 Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656
, 2002
"... We describe efficient protocols for nonmalleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols:  Chosenciphertextsecure, interactive encryption. In settings where both p ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
We describe efficient protocols for nonmalleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols:  Chosenciphertextsecure, interactive encryption. In settings where both parties are online, an interactive encryption protocol may be used. We construct chosenciphertextsecure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semanticallysecure scheme...
A New Identification Scheme Based on the Perceptrons Problem
 In Eurocrypt ’95, LNCS 921
, 1995
"... Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. Mo ..."
Abstract

Cited by 26 (4 self)
 Add to MetaCart
Abstract. Identification is a useful cryptographic tool. Since zeroknowledge theory appeared [3], several interactive identification schemes have been proposed (in particular FiatShamir [2] and its variants [4, 6, 5], Schnorr [9]). These identifications are based on number theoretical problems. More recently, new schemes appeared with the peculiarity that they are more efficient from the computational point of view and that their security is based on N Pcomplete problems: PKP (Permuted Kernels Problem) [10], SD (Syndrome Decoding) [12] and CLE (Constrained Linear Equations) [13]. We present a new N Pcomplete linear problem which comes from learning machines: the Perceptrons Problem. We have some constraints, m vectors X i of {−1, +1} n, and we want to find a vector V of {−1, +1} n such that X i · V ≥ 0 for all i. Next, we provide some zeroknowledge interactive identification protocols based on this problem, with an evaluation of their security. Eventually, those protocols are well suited for smart card applications. 1
Strengthening ZeroKnowledge Protocols using Signatures
 IN PROCEEDINGS OF EUROCRYPT ’03, LNCS SERIES
, 2003
"... Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper, ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper,