Results 1  10
of
22
Protecting Mobile Agents Against Malicious Hosts
, 1997
"... A key element of any mobile code based distributed system are the security mechanisms available to protect (a) the host against potentially hostile actions of a code fragment under execution and (b) the mobile code against tampering attempts by the executing host. Many techniques for the first ..."
Abstract

Cited by 323 (1 self)
 Add to MetaCart
A key element of any mobile code based distributed system are the security mechanisms available to protect (a) the host against potentially hostile actions of a code fragment under execution and (b) the mobile code against tampering attempts by the executing host. Many techniques for the first problem (a) have been developed. The second problem (b) seems to be much harder: It is the general belief that computation privacy for mobile code cannot be provided without tamper resistant hardware. Furthermore it is doubted that an agent can keep a secret (e.g., a secret key to generate digital signatures). There is an error in reasoning in the arguments supporting these beliefs which we are going to point out. In this paper we describe softwareonly approaches for providing computation privacy for mobile code in the important case that the mobile code fragment computes an algebraic circuit (a polynomial). We further describe an approach how a mobile agent can digitally sign his...
Toward Mobile Cryptography
 IEEE Symp. Security and Privacy, IEEE Computer Soc. Press, Los Alamitos, Calif
, 1998
"... ..."
NonInteractive CryptoComputing for NC1
 In 40th Annual Symposium on Foundations of Computer Science
, 1999
"... The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has bee ..."
Abstract

Cited by 90 (1 self)
 Add to MetaCart
(Show Context)
The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic twoparty case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC
OneRound Secure Computation and Secure Autonomous Mobile Agents (Extended Abstract)
, 2000
"... This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob ..."
Abstract

Cited by 86 (0 self)
 Add to MetaCart
(Show Context)
This paper investigates oneround secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob to Alice. A model in which Bob may be computationally unbounded is investigated, which corresponds to informationtheoretic security for Alice. It is shown that 1. for honestbutcurious behavior and unbounded Bob, any function computable by a polynomialsize circuit can be computed securely assuming the hardness of the decisional DiffieHellman problem; 2. for malicious behavior by both (bounded) parties, any function computable by a polynomialsize circuit can be computed securely, in a publickey framework, assuming the hardness of the decisional DiffieHellman problem.
Transitive Signature Schemes
 IN PROCEEDINGS OF RSA 2002, VOLUME 2271 OF LNCS
, 2002
"... We consider the problem of finding publickey digital signature schemes with a transitiveclosure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, ..."
Abstract

Cited by 63 (7 self)
 Add to MetaCart
(Show Context)
We consider the problem of finding publickey digital signature schemes with a transitiveclosure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, w) then Bob (or anyone) can derive from those two signatures Alice's signature on the edge (u, w). We present an efficient solution for undirected graphs, and leave the case for directed graphs as an open problem.
Towards Formal Analysis of Security Protocols
 In Computer Security Foundations Workshop VI
, 1993
"... The pioneering and wellknown work of Burrows, Abadi and Needham (the BAN logic) which dominates the area of security protocol analysis is shown to take an approach which is not fully formal and which consequently permits approval of dangerous protocols. Measures to make the BAN logic formal are the ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
(Show Context)
The pioneering and wellknown work of Burrows, Abadi and Needham (the BAN logic) which dominates the area of security protocol analysis is shown to take an approach which is not fully formal and which consequently permits approval of dangerous protocols. Measures to make the BAN logic formal are then proposed. The formalisation is found to be desirable not only for its potential in providing rigorous analysis of security protocols, but also for its readiness for supporting a computeraided fashion of analysis. 1 Introduction A security protocol such as one for distributing cryptographic keys is essentially a few lines of a specification of a program. Its analysis can therefore be considered as analogous to the correctness verification of such a program. However, unlike the case of running a computer program, where the user naturally bears an intention to follow the instruction so to avoid potential bugs, the main objective of a dishonest user during a run of a security protocol is to ...
Homomorphic PublicKey Cryptosystems and Encrypting Boolean Circuits
, 2003
"... In this paper homomorphic cryptosystems are designed for the first time over any finite group. Applying Barrington's construction we produce for any boolean circuit of the logarithmic depth its encrypted simulation of a polynomial size over an appropriate finitely generated group. ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
In this paper homomorphic cryptosystems are designed for the first time over any finite group. Applying Barrington's construction we produce for any boolean circuit of the logarithmic depth its encrypted simulation of a polynomial size over an appropriate finitely generated group.
Constructions in publickey cryptography over matrix groups
 Contemp. Math., Amer. Math. Soc
"... The purpose of the paper is to give new key agreement protocols (a multiparty extension of the protocol due to AnshelAnshelGoldfeld and a generalization of the DiffieHellman protocol from abelian to solvable groups) and a new homomorphic publickey cryptosystem. They rely on difficulty of the co ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
(Show Context)
The purpose of the paper is to give new key agreement protocols (a multiparty extension of the protocol due to AnshelAnshelGoldfeld and a generalization of the DiffieHellman protocol from abelian to solvable groups) and a new homomorphic publickey cryptosystem. They rely on difficulty of the conjugacy and membership problems for subgroups of a given group. To support these and other known cryptographic schemes we present a general technique to produce a family of instances being matrix groups (over finite commutative rings) which play a role for these schemes similar to the groups Z ∗ n in the existing cryptographic constructions like RSA or discrete logarithm. Partially supported by RFFI, grants, 030100349, NSH2251.2003.1. The paper was done during the
CryptoComputing with rationals
, 2002
"... In this paper we describe a method to compute with encrypted rational numbers. ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
In this paper we describe a method to compute with encrypted rational numbers.
TwoParty Computing with Encrypted Data
 ASIACRYPT'07
, 2007
"... We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model o ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of “Computing with Encrypted Data” that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an online stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.