Results 1  10
of
17
Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to anot ..."
Abstract

Cited by 71 (1 self)
 Add to MetaCart
Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that indifferentiability is the necessary and sufficient condition on two systems S and T such that the security of any cryptosystem using T as a component is not affected when T is substituted by S. In contrast to indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions. Third, we state an easily verifiable criterion for a system U not to be reducible (according to our generalized definition) to another system V and, as an application, prove that a random oracle is not reducible to a weaker primitive, called asynchronous beacon, and also that an asynchronous beacon is not reducible to a finitelength random string. Each of these irreducibility results alone implies the main theorem of Canetti, Goldreich and Halevi stating that there exist cryptosystems that are secure in the random oracle model but for which replacing the random oracle by any implementation leads to an insecure cryptosystem. Key words. Indistinguishability, reductions, indifferentiability, security proofs, random oracle methodology, hash functions.
Simulationsound nizk proofs for a practical language and constant size group signatures, 2006. Full paper available at http://www.brics.dk/∼jg/NIZKGroupSignFull.pdf
"... Abstract. Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction ..."
Abstract

Cited by 45 (9 self)
 Add to MetaCart
Abstract. Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
Fully anonymous group signatures without random oracles
 In ASIACRYPT 2007, volume 4833 of LNCS
, 2007
"... We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in par ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
We construct a new group signature scheme using bilinear groups. The group signature scheme is practical, both keys and group signatures consist of a constant number of group elements, and the scheme permits dynamic enrollment of new members. The scheme satisfies strong security requirements, in particular providing protection against key exposures and not relying on random oracles in the security proof.
The IdealCipher Model, Revisited: An Uninstantiable BlockcipherBased Hash Function
 FSE’06, LNCS 4047
, 2005
"... The IdealCipher Model of a blockcipher is a wellknown and widelyused model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this m ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
The IdealCipher Model of a blockcipher is a wellknown and widelyused model dating back to Shannon [24] and has seen frequent use in proving the security of various cryptographic objects and protocols. But very little discussion has transpired regarding the meaning of proofs conducted in this model or regarding the model's validity.
A noninteractive shuffle with pairing based verifiability
 In proceedings of ASIACRYPT ’07, LNCS series
, 2007
"... A shuffle is a permutation and reencryption of a set of ciphertexts. Shuffles are for instance used in mixnets for anonymous broadcast and voting. One way to make a shuffle verifiable is to give a zeroknowledge proof of correctness. All currently known practical zeroknowledge proofs for correctne ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
A shuffle is a permutation and reencryption of a set of ciphertexts. Shuffles are for instance used in mixnets for anonymous broadcast and voting. One way to make a shuffle verifiable is to give a zeroknowledge proof of correctness. All currently known practical zeroknowledge proofs for correctness of a shuffle rely on interaction. We give the first efficient noninteractive zeroknowledge proof for correctness of a shuffle.
Intrusionresilient key exchange in the bounded retrieval model
 TCC 2007: 4th Theory of Cryptography Conference, volume 4392 of Lecture
"... Abstract. We construct an intrusionresilient symmetrickey authenticated key exchange (AKE) protocol in the bounded retrieval model. The model employs a long shared private key to cope with an active adversary who can repeatedly compromise the user’s machine and perform any efficient computation on ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We construct an intrusionresilient symmetrickey authenticated key exchange (AKE) protocol in the bounded retrieval model. The model employs a long shared private key to cope with an active adversary who can repeatedly compromise the user’s machine and perform any efficient computation on the entire shared key. However, we assume that the attacker is communication bounded and unable to retrieve too much information during each successive breakin. In contrast, the users read only a small portion of the shared key, making the model quite realistic in situations where storage is much cheaper than bandwidth. The problem was first studied by Dziembowski [Dzi06a], who constructed a secure AKE protocol using random oracles. We present a general paradigm for constructing intrusionresilient AKE protocols in this model, and show how to instantiate it without random oracles. The main ingredients of our construction are UCsecure password authenticated key exchange and tools from the bounded storage model. 1
Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2003
"... The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Secon ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that...
On the relation between the ideal cipher and the random oracle models
 In: TCC 2006. LNCS
, 2006
"... Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. The Random Oracle Model and the Ideal Cipher Model are two of the most popular idealized models in cryptography. It is a fundamentally important practical and theoretical problem to compare the relative strengths of these models and to see how they relate to each other. Recently, Coron et al. [8] proved that one can securely instantiate a random oracle in the ideal cipher model. In this paper, we investigate if it is possible to instantiate an ideal block cipher in the random oracle model, which is a considerably more challenging question. We conjecture that the LubyRackoff construction [19] with a sufficient number of rounds should suffice to show this implication. This does not follow from the famous LubyRackoff result [19] showing that 4 rounds are enough to turn a pseudorandom function into a pseudorandom permutation, since the results of the intermediate rounds are known to everybody. As a partial step toward resolving this conjecture, we show that random oracles imply ideal ciphers in the honestbutcurious model, where all the participants are assumed to follow the protocol, but keep all their intermediate results. Namely, we show that the LubyRackoff construction with a superlogarithmic number of rounds can be used to instantiate the ideal block cipher in any honestbutcurious cryptosystem, and result in a similar honestbutcurious cryptosystem in the random oracle model. We also show that securely instantiating the ideal cipher using the Luby Rackoff construction with upto a logarithmic number of rounds is equivalent in the honestbutcurious and malicious models. 1
Short Group Signature without Random Oracles
, 2007
"... We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of noninteractive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06 [ ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
We construct a short group signature which is proven secure without random oracles. By making certain reasonable assumptions and applying the technique of noninteractive proof system, we prove that our scheme is full anonymity and full traceability. Compared with other related works, such as BW06 [9], BW07 [10], ours is more practical due to the short size of both public key and group signature.
Interactive ZeroKnowledge with Restricted Random Oracles. Theory of Cryptography Conference (TCC
 Â ˆ B sid,X = g x sid,Y = g y sid, Â, CERTÂ ,SIG Â (1,sid,X, Y ),MACPRFgxy(1)(1,sid, Â) sid, ˆ B, CERT ˆ B ,SIG ˆ B (0,sid,Y, X),MAC
, 2006
"... Abstract. We investigate the design and proofs of zeroknowledge (ZK) interactive systems under what we call the “restricted random oracle model ” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la FiatShamir heuristics, and limits the oracle p ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. We investigate the design and proofs of zeroknowledge (ZK) interactive systems under what we call the “restricted random oracle model ” which restrains the usage of the oracle in the protocol design to that of collapsing protocol rounds a la FiatShamir heuristics, and limits the oracle programmability in the security proofs. We analyze subtleties resulting from the involvement of random oracles in the interactive setting and derive our methodology. Then we investigate the FeigeShamir 4round ZK argument for N P in this model: First we show that a 2round protocol is possible for a very interesting set of languages; we then show that while the original protocol is not concurrently secure in the publickey model, a modified protocol in our model is, in fact, concurrently secure in the bare publickey model. We point at applications and implications of this fact. Of possible independent interest is a concurrent attack against the FeigeShamir ZK in the publickey model (for which it was not originally designed). 1