Results 11  20
of
92
Simultaneous hardcore bits and cryptography against memory attacks
 IN TCC
, 2009
"... This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptograp ..."
Abstract

Cited by 73 (8 self)
 Add to MetaCart
This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the publickey encryption scheme of Regev (STOC 2005), and the identitybased encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secretkey, or more generally, can compute an arbitrary function of the secretkey of bounded output length. This is done without increasing the size of the secretkey, and without introducing any
Secure MultiParty Computation
, 1998
"... Contents 1 Introduction and Preliminaries 4 1.1 A Tentative Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 1.1.1 Overview of the Definitions : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 1.1.2 Overview of the Known Results : : : : : : : : : : : : : : : ..."
Abstract

Cited by 70 (1 self)
 Add to MetaCart
Contents 1 Introduction and Preliminaries 4 1.1 A Tentative Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 1.1.1 Overview of the Definitions : : : : : : : : : : : : : : : : : : : : : : : : : : : : 4 1.1.2 Overview of the Known Results : : : : : : : : : : : : : : : : : : : : : : : : : : 5 1.1.3 Aims and nature of the current manuscript : : : : : : : : : : : : : : : : : : : 6 1.1.4 Organization of this manuscript : : : : : : : : : : : : : : : : : : : : : : : : : : 6 1.2 Preliminaries (also tentative) : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 1.2.1 Computational complexity : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 1.2.2 Twoparty and multiparty protocols : : : : : : : : : : : : : : : : : : : : : : : 10 1.2.3 Strong Proofs of Knowledge : : : : : : : : : : : : : : : : : : : : : : : : : : : : 10 2 General TwoParty Computation 13 2.1.1 The semihonest model : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :
Robust Efficient Distributed RSAKey Generation
"... We solve a central open problem in distributed cryptography, that of robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test "circuit size", while a robust protocol allows correct completion even in the presence of a minority of ar ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
We solve a central open problem in distributed cryptography, that of robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test "circuit size", while a robust protocol allows correct completion even in the presence of a minority of arbitrarily misbehaving malicious parties. Our protocol is shown to be secure against any minority of malicious parties (which is optimal). The above problem was mentioned in various works in the last decade and most recently by Boneh and Franklin [BF97]. The solution is a crucial step in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities) , as well as other applications besides RSA (namely: composite ElGamal, identification schemes, simultaneous bit exchange, etc.). Of special interest is the fact that the solution can be combined with recent proactive function sharing tec...
V.: Fully Homomorphic Encryption over the Integers
, 2010
"... We construct a simple fully homomorphic encryption scheme, using only elementary modular arithmetic. We use Gentry’s technique to construct fully homomorphic scheme from a “bootstrappable” somewhat homomorphic scheme. However, instead of using ideal lattices over a polynomial ring, our bootstrappabl ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
We construct a simple fully homomorphic encryption scheme, using only elementary modular arithmetic. We use Gentry’s technique to construct fully homomorphic scheme from a “bootstrappable” somewhat homomorphic scheme. However, instead of using ideal lattices over a polynomial ring, our bootstrappable encryption scheme merely uses addition and multiplication over the integers. The main appeal of our scheme is the conceptual simplicity. We reduce the security of our scheme to finding an approximate integer gcd – i.e., given a list of integers that are nearmultiples of a hidden integer, output that hidden integer. We investigate the hardness of this task, building on earlier work of HowgraveGraham. 1
Micropayments Revisited
 In Cryptography Track at RSA Conference
, 2002
"... We present new micropayment schemes that are more efficient and user friendly than previous ones. ..."
Abstract

Cited by 44 (2 self)
 Add to MetaCart
We present new micropayment schemes that are more efficient and user friendly than previous ones.
How To Break The Direct RSAImplementation Of Mixes
 Advances in CryptologyEUROCRYPT '89 Proceedings
, 1990
"... MIXes are a means of untraceable communication based on a public key cryptosystem, as published by David Chaum in 1981 (CACM 24/2, 8488) (=[6]). In the case where RSA is used as this cryptosystem directly, i.e. without composition with other functions (e.g. destroying the multiplicative structure), ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
MIXes are a means of untraceable communication based on a public key cryptosystem, as published by David Chaum in 1981 (CACM 24/2, 8488) (=[6]). In the case where RSA is used as this cryptosystem directly, i.e. without composition with other functions (e.g. destroying the multiplicative structure), we show how the resulting MIXes can be broken by an active attack which is perfectly feasible in a typical MIXenvironment. The attack does not affect the idea of MIXes as a whole: if the security requirements of [6] are concretized suitably and if a cryptosystem fulfils them, one can implement secure MIXes directly. However, it shows that present security notions for public key cryptosystems, which do not allow active attacks, do not suffice for a cryptosystem which is used to implement MIXes directly. We also warn of the same attack and others on further possible implementations of MIXes, and we mention several implementations which are not broken by any attack we know. I. INTRODUCTION: M...
How to make replicated data secure
 Advances in Cryptology  CRYPTO
, 1988
"... Many distributed systems manage some form of longlived data, such as files or data bases. The performance and faulttolerance of such systems may be enhanced if the repositories for the data are physically distributed. Nevertheless, distribution makes security more difficult, since it may be diffic ..."
Abstract

Cited by 43 (1 self)
 Add to MetaCart
Many distributed systems manage some form of longlived data, such as files or data bases. The performance and faulttolerance of such systems may be enhanced if the repositories for the data are physically distributed. Nevertheless, distribution makes security more difficult, since it may be difficult to ensure that each repository is physically secure, particularly if the number of repositories is large. This paper proposes new techniques for ensuring the security of longlived, physically distributed data. These techniques adapt replication protocols for faulttolerance to the more demanding requirements of security. For a given threshold value, one set of protocols ensures that an adversary cannot ascertain the state of a data object by observing the contents of fewer than a threshold of repositories. These protocols are cheap; the message traffic needed to tolerate a given number of compromised repositories is only slightly more than the message traffic needed to tolerate the same number of failures. A second set of protocols ensures that an object’s state cannot be altered by an adversary who can modify the contents of fewer than a threshold of repositories. These protocols are more expensive; to tolerate t1 compromised repositories, clients executing certain operations must communicate with t1 additional sites.
Strict Polynomialtime in Simulation and Extraction
, 2004
"... The notion of efficient computation is usually identified in cryptography and complexity with (strict) probabilistic polynomial time. However, until recently, in order to obtain constantround ..."
Abstract

Cited by 43 (8 self)
 Add to MetaCart
The notion of efficient computation is usually identified in cryptography and complexity with (strict) probabilistic polynomial time. However, until recently, in order to obtain constantround
Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions
, 1995
"... A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. ..."
Abstract

Cited by 41 (10 self)
 Add to MetaCart
A pseudorandom function is a fundamental cryptographic primitive that is essential for encryption, identification and authentication. We present a new cryptographic primitive called pseudorandom synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function. We show several NC¹ implementations of synthesizers based on concrete intractability assumptions as factoring and the DiffieHellman assumption. This yields the first parallel pseudorandom functions (based on standard intractability assumptions) and the only alternative to the original construction of Goldreich, Goldwasser and Micali. In addition, we show parallel constructions of synthesizers based on other primitives such as weak pseudorandom functions or trapdoor oneway permutations. The security of all our constructions is similar to the security of the underlying assumptions. The connection with problems in Computational Learning Theory is discussed.
Physically Observable Cryptography
 TCC 2004, LNCS
, 2003
"... After a quarter century of impetuous development, complexitytheoretic cryptography has succeeded in finding rigorous definitions of security and provably secure schemes. In complexitytheoretic cryptography, however, computation has been "abstracted away": an adversary may attack a cryptographic ..."
Abstract

Cited by 37 (1 self)
 Add to MetaCart
After a quarter century of impetuous development, complexitytheoretic cryptography has succeeded in finding rigorous definitions of security and provably secure schemes. In complexitytheoretic cryptography, however, computation has been "abstracted away": an adversary may attack a cryptographic algorithm essentially only by exchanging messages with it. Consequently, this theory fails to take into account the physical nature of actual computation, and cannot protect against physical attacks cleverly exploiting the information leakage inherent to the physical execution of any cryptographic algorithm. Such "physical observation attacks" bypass the impressive barrier of mathematical security erected so far, and successfully break mathematically impregnable systems. The great practicality and the inherent availability of physical attacks threaten the very relevance of complexitytheoretic security. Why erect majestic walls if comfortable underpasses will always remain wide open? Responding to the present crisis requires extending the current mathematical models of cryptography to the physical setting. We do so by eliminating the mathematically convenient but physically unrealistic separation between the adversary and cryptographic computations. Specifically, .