Results 1  10
of
20
Variations of diffiehellman problem
 In ICICS ’03, volume 2836 of LNCS
, 2003
"... Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and d ..."
Abstract

Cited by 34 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper studies various computational and decisional DiffieHellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational DiffieHellman problem: square DiffieHellman problem, inverse DiffieHellman problem and divisible DiffieHellman problem, are equivalent with optimal reduction. Also, we are considering variations of the decisional DiffieHellman problem in single sample and polynomial samples settings, and we are able to show that all variations are equivalent except for the argument DDH ⇐ SDDH. We are not able to prove or disprove this statement, thus leave an interesting open problem. Keywords: DiffieHellman problem, Square DiffieHellman problem, Inverse DiffieHellman problem, Divisible DiffieHellman problem
Cryptographic primitives enforcing communication and storage complexity
 In Financial Cryptography (FC 2002
, 2003
"... Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the abili ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
Abstract. We introduce a new type of cryptographic primitives which enforce high communication or storage complexity. Intuitively, to evaluate these primitives on a random input one has to engage in a protocol of high communication complexity, or one has to use a lot of storage. Therefore, the ability to compute these primitives constitutes certain “proof of work, ” because the computing party is forced to contribute a lot of its communication or storage resources to this task. Such primitives can be used in applications which deal with nonmalicious but selfishly resourcemaximizing parties. For example, they can be useful in constructing peertopeer systems which are robust against so called “free riders. ” In this paper we define two such primitives, a communicationenforcing signature and a storageenforcing commitment scheme, and we give constructions for both.
Assumptions Related to Discrete Logarithms: Why Subtleties Make a Real Difference
 Advances in CryptologyEurocrypt 2001, LNCS 2045
, 2002
"... The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#eHellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.
Funkspiel Schemes: An Alternative to Conventional Tamper Resistance
 In ACM CCS
, 2000
"... We investigate a simple method of fraud management for secure devices that may serve as an alternative or complement to conventional hardwarebased tamper resistance. Under normal operating conditions in our scheme, a secure device includes an authentication code in its communications, e.g., in the ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
We investigate a simple method of fraud management for secure devices that may serve as an alternative or complement to conventional hardwarebased tamper resistance. Under normal operating conditions in our scheme, a secure device includes an authentication code in its communications, e.g., in the digital signatures it issues. This code may be verified by a fraud management center under a predetermined key . When the device detects an attempted breakin, it modifies . This results in a change to the authentication codes issued by the device such that the fraud management center can detect the apparent breakin. Hence, in contrast to the case with typical tamperresistance schemes, the deployer of our proposed scheme seeks to trace breakins, rather than prevent them. In reference to the wartime practice of physically capturing and subverting underground radio transmitters  a practice analogous to the capture and use of secret information on secure devices  we denote this idea by the German term funkspiel, meaning "radio game." One challenge in constructing a funkspiel scheme is to ensure that an attacker privy to the authentication codes of the secure device both before and after the breakin, as well as the secrets of the device following the breakin, cannot detect the alteration to . Additional challenges involve minimizing the communication and computation overhead, the requirement for use of shared secrets, and the state information associated with the authentication codes. We present several simple and practical schemes in this paper.
A Tool Box of Cryptographic Functions related to the DiffieHellman Function
 Indocrypt'01, Lecture Notes Comp. Science 2247
"... Given a cyclic group G and a generator g, the DiffieHellman function (DH) maps two group elements (g a ; g b ) to g ab . For many groups G this function is assumed to be hard to compute. We generalize this function to the P DiffieHellman function (PDH) that maps two group elements (g ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Given a cyclic group G and a generator g, the DiffieHellman function (DH) maps two group elements (g a ; g b ) to g ab . For many groups G this function is assumed to be hard to compute. We generalize this function to the P DiffieHellman function (PDH) that maps two group elements (g a ; g b ) to g P (a;b) for a (nonlinear) polynomial P in a and b.
Uncoercible eBidding Games
 ELECTRONIC COMMERCE RESEARCH
, 2004
"... The notion of uncoercibility was first introduced in evoting systems to deal with the coercion of voters. However this notion extends to many other esystems for which the privacy of users must be protected, even if the users wish to undermine their own privacy. In this paper we consider uncoercibl ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
The notion of uncoercibility was first introduced in evoting systems to deal with the coercion of voters. However this notion extends to many other esystems for which the privacy of users must be protected, even if the users wish to undermine their own privacy. In this paper we consider uncoercible ebidding games. We discuss necessary requirements for uncoercibility, and present a general uncoercible ebidding game that distributes the bidding procedure between the bidder and a tamperresistant token in a verifiable way. We then show how this general game can be used to design provably uncoercible eauctions and eelections. Finally, we discuss the practical consequences of uncoercibility in other areas of ecommerce.
Strong Forward Security
 In: IFIPSEC ’01 Conference, Kluwer
, 2001
"... Forward security has been proposed as a method to minimize the consequences of key exposure. In this paper we analyze this method and consider a vulnerability, which is due to the fact that the exposure may not have been detected. All forward secure cryptosystems proposed so far are vulnerable durin ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Forward security has been proposed as a method to minimize the consequences of key exposure. In this paper we analyze this method and consider a vulnerability, which is due to the fact that the exposure may not have been detected. All forward secure cryptosystems proposed so far are vulnerable during the period between key exposure and its detection. We consider the notion of strong forward security in which cryptographically processed data is protected not only for the periods prior to key exposure but also after key exposure, and present two applications with this novel property: a basic public key cryptosystem and an ElGamalbased key escrow scheme. Keywords: Forward security, key update, intrusion detection Research supported by the Secretariat of Research and Technology of Greece. 1 2 1.
Equitability in Retroactive Data Confiscation versus Proactive Key Escrow
 4 th International Workshop on Practice and Theory in Public Key Cryptography, PKC2003, Proceedings, LNCS
, 1992
"... Abstract. The British Regulations of Investigatory Powers (RIP) Act 2000 is one of the first modern bills for mandatory disclosure of protected data in a democratic country. In this paper we compare this bill from a technical point of view with the US key escrow proposal (EES) and its variants and t ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The British Regulations of Investigatory Powers (RIP) Act 2000 is one of the first modern bills for mandatory disclosure of protected data in a democratic country. In this paper we compare this bill from a technical point of view with the US key escrow proposal (EES) and its variants and then, more generally we compare the merits of data confiscation vs key escrow. A major problem with key escrow is that once a private key is recovered it can be used to decipher ciphertexts which were sent well before a warrant was issued (or after its expiration). Several alternative key escrow systems have been proposed in the literature to address this issue. These are equitable, in the sense that the control of society over the individual and the control of the individual over society are fairly shared. We show that equitability is much easier to achieve with data confiscation than with key escrow. Consequently, although the RIP act was heavily criticized in the press and on the internet, it inherently maintains a better level of privacy than key escrow. Finally we present some practical deniable decryption variants of popular public key systems. Key words: RIP, key escrow, data confiscation. 1
IDBased Group PasswordAuthenticated Key Exchange
"... Abstract—Passwordauthenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a humanmemorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Passwordauthenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a humanmemorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an “honest but curious ” server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present a compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the BurmesterDesmedt protocol), any identitybased encryption (IBE) scheme (e.g., Gentry’s scheme), and any identitybased signature (IBS) scheme (e.g., PatersonSchuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as the underlying group KE protocol, IBE scheme and an IBS scheme have provably security without random oracles, a group PAKE constructed by our compiler can be proven to be secure without random oracles.
Send message into a Definite Future
, 1999
"... Rivest et al proposed a timelock puzzle scheme for encrypting messages which can only be decrypted in the future. Such a puzzle specifies an algorithm for decrypting the message locked in and the specified algorithm has a well understood time complexity. However, that timelock puzzle scheme does ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Rivest et al proposed a timelock puzzle scheme for encrypting messages which can only be decrypted in the future. Such a puzzle specifies an algorithm for decrypting the message locked in and the specified algorithm has a well understood time complexity. However, that timelock puzzle scheme does not provide a means for one to examine whether a puzzle has been formed in good order. Consequently, one may foolishly waste a lengthy time on trying to solve an intractable problem. This weakness prohibits that scheme from applications that involve mutually untrusted parties. We propose a new timelock puzzle scheme which includes an efficient protocol that allows examination of the time needed for decrypting the message locked in.