Results 1  10
of
132
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 850 (43 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 493 (22 self)
 Add to MetaCart
(Show Context)
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Security and Composition of Multiparty Cryptographic Protocols
 JOURNAL OF CRYPTOLOGY
, 1998
"... We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definiti ..."
Abstract

Cited by 475 (19 self)
 Add to MetaCart
We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural `subroutine substitution' operation, formalized by Micali and Rogaway. We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the informationtheoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.
Optimistic fair exchange of digital signatures
 IEEE Journal on Selected Areas in Communications
, 1998
"... Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an elect ..."
Abstract

Cited by 289 (10 self)
 Add to MetaCart
Abstract. We present a new protocol that allows two players to exchange digital signatures over the Internet in a fair way, so that either each player gets the other’s signature, or neither player does. The obvious application is where the signatures represent items of value, for example, an electronic check or airline ticket. The protocol can also be adapted to exchange encrypted data. The protocol relies on a trusted third party, but is “optimistic, ” in that the third party is only needed in cases where one player attempts to cheat or simply crashes. A key feature of our protocol is that a player can always force a timely and fair termination, without the cooperation of the other player. 1
On the Composition of ZeroKnowledge Proof Systems
 SIAM Journal on Computing
, 1990
"... : The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We ..."
Abstract

Cited by 214 (15 self)
 Add to MetaCart
: The wide applicability of zeroknowledge interactive proofs comes from the possibility of using these proofs as subroutines in cryptographic protocols. A basic question concerning this use is whether the (sequential and/or parallel) composition of zeroknowledge protocols is zeroknowledge too. We demonstrate the limitations of the composition of zeroknowledge protocols by proving that the original definition of zeroknowledge is not closed under sequential composition; and that even the strong formulations of zeroknowledge (e.g. blackbox simulation) are not closed under parallel execution. We present lower bounds on the round complexity of zeroknowledge proofs, with significant implications to the parallelization of zeroknowledge protocols. We prove that 3round interactive proofs and constantround ArthurMerlin proofs that are blackbox simulation zeroknowledge exist only for languages in BPP. In particular, it follows that the "parallel versions" of the first interactive proo...
Concurrent ZeroKnowledge
 IN 30TH STOC
, 1999
"... Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two proces ..."
Abstract

Cited by 185 (19 self)
 Add to MetaCart
Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will finish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist fourround almost concurrent zeroknowledge interactive proofs and perfect concurrent zeroknowledge arguments for every language in NP . We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model.
BlackBox Concurrent ZeroKnowledge Requires (almost) Logarithmically Many Rounds
 SIAM Journal on Computing
, 2002
"... We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bound ..."
Abstract

Cited by 111 (9 self)
 Add to MetaCart
We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bounds, and is the first bound to rule out the possibility of constantround concurrent zeroknowledge when proven via blackbox simulation. Furthermore, the bound is polynomially related to the number of rounds in the best known concurrent zeroknowledge protocol for languages in NP (which is established via blackbox simulation).
Resettable zeroknowledge
, 2000
"... We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each ..."
Abstract

Cited by 80 (6 self)
 Add to MetaCart
(Show Context)
We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing it to use the same random tape. All known examples of zeroknowledge proofs and arguments are trivially breakable in this setting. Moreover, by definition, all zeroknowledge proofs of knowledge are breakable in this setting. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct: ffl Resettable ZeroKnowledge proofsystems for NP with nonconstant number of rounds. ffl Fiveround Resettable WitnessIndistinguishable proofsystems for NP. ffl Fourround Resettable ZeroKnowledge arguments for NP in the public key model: where verifiers have fixed, public keys associated with them.
Universal Composition with Joint State
, 2002
"... We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are ..."
Abstract

Cited by 79 (9 self)
 Add to MetaCart
We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are assumed to have completely disjoint local states, the new operation allows the composed protocols to have some amount of joint state (and, in particular, joint randomness) while still guaranteeing strong composability properties.
Magic Functions
, 1999
"... We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem. ..."
Abstract

Cited by 78 (1 self)
 Add to MetaCart
We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem.