Results 1  10
of
122
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 670 (35 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 473 (22 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Security and Composition of Multiparty Cryptographic Protocols
 JOURNAL OF CRYPTOLOGY
, 1998
"... We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definiti ..."
Abstract

Cited by 415 (19 self)
 Add to MetaCart
We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural `subroutine substitution' operation, formalized by Micali and Rogaway. We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the informationtheoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.
Optimistic fair exchange of digital signatures
 IEEE Journal on Selected Areas in Communications
, 1998
"... Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an elect ..."
Abstract

Cited by 250 (10 self)
 Add to MetaCart
Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 198 (15 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
BlackBox Concurrent ZeroKnowledge Requires (almost) Logarithmically Many Rounds
 SIAM Journal on Computing
, 2002
"... We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bound ..."
Abstract

Cited by 97 (7 self)
 Add to MetaCart
We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bounds, and is the first bound to rule out the possibility of constantround concurrent zeroknowledge when proven via blackbox simulation. Furthermore, the bound is polynomially related to the number of rounds in the best known concurrent zeroknowledge protocol for languages in NP (which is established via blackbox simulation).
Resettable ZeroKnowledge
 In 32nd STOC
, 1999
"... We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, eac ..."
Abstract

Cited by 77 (8 self)
 Add to MetaCart
(Show Context)
We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing him to use the same random tape.
Universal Composition with Joint State
, 2002
"... We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are ..."
Abstract

Cited by 66 (6 self)
 Add to MetaCart
We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are assumed to have completely disjoint local states, the new operation allows the composed protocols to have some amount of joint state (and, in particular, joint randomness) while still guaranteeing strong composability properties.
Magic Functions
, 1999
"... We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem. ..."
Abstract

Cited by 58 (0 self)
 Add to MetaCart
We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem.
On the Existence of 3Round ZeroKnowledge Protocols
 In Crypto98, Springer LNCS 1462
, 1999
"... In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3ro ..."
Abstract

Cited by 58 (2 self)
 Add to MetaCart
(Show Context)
In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3round blackbox simulation zeroknowledge exist only for BPP languages. Our main contribution is to provide a nonblackbox simulation technique. Whether there exists such a simulation technique was a major open problem in the theory of zeroknowledge. Our simulation technique is based on a nonstandard computational assumption related to the Di#eHellman problem, which was originally proposed by Damgard [Da91]. This assumption, which we call the DA1, says that, given randomly chosen instance of the discrete logarithm problem (p, q, g, g a ), it is infeasible to compute (B, X) such that X = B a mod p without knowing the value b satisfying B = g b mod p. Our protocol achieves di#erent no...