Results 1  10
of
25
Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to anot ..."
Abstract

Cited by 93 (2 self)
 Add to MetaCart
Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that indifferentiability is the necessary and sufficient condition on two systems S and T such that the security of any cryptosystem using T as a component is not affected when T is substituted by S. In contrast to indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions. Third, we state an easily verifiable criterion for a system U not to be reducible (according to our generalized definition) to another system V and, as an application, prove that a random oracle is not reducible to a weaker primitive, called asynchronous beacon, and also that an asynchronous beacon is not reducible to a finitelength random string. Each of these irreducibility results alone implies the main theorem of Canetti, Goldreich and Halevi stating that there exist cryptosystems that are secure in the random oracle model but for which replacing the random oracle by any implementation leads to an insecure cryptosystem. Key words. Indistinguishability, reductions, indifferentiability, security proofs, random oracle methodology, hash functions.
Simulationsound nizk proofs for a practical language and constant size group signatures
, 2006
"... Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP ..."
Abstract

Cited by 80 (12 self)
 Add to MetaCart
(Show Context)
Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
Fully anonymous group signatures without random oracles
 In ASIACRYPT 2007, volume 4833 of LNCS
, 2007
"... We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in par ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.
The IdealCipher Model, Revisited: An Uninstantiable BlockcipherBased Hash Function
 FSE’06, LNCS 4047
, 2005
"... The IdealCipher Model of a blockcipher is a wellknown and widelyused model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this m ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
The IdealCipher Model of a blockcipher is a wellknown and widelyused model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this model or regarding the model's validity.
A noninteractive shuffle with pairing based verifiability
 In proceedings of ASIACRYPT ’07, LNCS series
, 2007
"... A shuffle is a permutation and reencryption of a set of ciphertexts. Shuffles are for instance used in mixnets for anonymous broadcast and voting. One way to make a shuffle verifiable is to give a zeroknowledge proof of correctness. All currently known practical zeroknowledge proofs for correctne ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
A shuffle is a permutation and reencryption of a set of ciphertexts. Shuffles are for instance used in mixnets for anonymous broadcast and voting. One way to make a shuffle verifiable is to give a zeroknowledge proof of correctness. All currently known practical zeroknowledge proofs for correctness of a shuffle rely on interaction. We give the first efficient noninteractive zeroknowledge proof for correctness of a shuffle.
Intrusionresilient key exchange in the bounded retrieval model
 TCC 2007: 4th Theory of Cryptography Conference, volume 4392 of Lecture
"... Abstract. We construct an intrusionresilient symmetrickey authenticated key exchange (AKE) protocol in the bounded retrieval model. The model employs a long shared private key to cope with an active adversary who can repeatedly compromise the user’s machine and perform any efficient computation on ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We construct an intrusionresilient symmetrickey authenticated key exchange (AKE) protocol in the bounded retrieval model. The model employs a long shared private key to cope with an active adversary who can repeatedly compromise the user’s machine and perform any efficient computation on the entire shared key. However, we assume that the attacker is communication bounded and unable to retrieve too much information during each successive breakin. In contrast, the users read only a small portion of the shared key, making the model quite realistic in situations where storage is much cheaper than bandwidth. The problem was first studied by Dziembowski [Dzi06a], who constructed a secure AKE protocol using random oracles. We present a general paradigm for constructing intrusionresilient AKE protocols in this model, and show how to instantiate it without random oracles. The main ingredients of our construction are UCsecure password authenticated key exchange and tools from the bounded storage model. 1
Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2003
"... The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Secon ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that...
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
Honest verifier zeroknowledge arguments applied
 DISSERTATION SERIES DS043, BRICS, 2004. PHD THESIS. XII+119
, 2004
"... ..."
Short Group Signature without Random Oracles
, 2007
"... We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of noninteractive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06 [ ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of noninteractive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06 [9], BW07 [10], ours is more practical due to the short size of both public key and group signature.