Results 11  20
of
91
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 52 (5 self)
 Add to MetaCart
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
PublicKey Cryptosystems Resilient to Key Leakage
"... Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidec ..."
Abstract

Cited by 51 (6 self)
 Add to MetaCart
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidechannel attacks, especially the “cold boot attacks ” of Halderman et al. (USENIX Security ’08), Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of sidechannel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of publickey encryption, Akavia et al. showed that Regev’s latticebased scheme (STOC ’05) is resilient to any leakage of
Simulationsound nizk proofs for a practical language and constant size group signatures, 2006. Full paper available at http://www.brics.dk/∼jg/NIZKGroupSignFull.pdf
"... Abstract. Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction ..."
Abstract

Cited by 45 (9 self)
 Add to MetaCart
Abstract. Noninteractive zeroknowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NPcomplete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulationsound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.
Towards plaintextaware publickey encryption without random oracles
 Advances in Cryptology – Asiacrypt 2004, volume 3329 of Lecture Notes in Computer Science
, 2004
"... Abstract. We consider the problem of defining and achieving plaintextaware encryption without random oracles in the classical publickey model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+INDCPA → INDCCA1 and PA2+INDCPA → INDCCA2 ..."
Abstract

Cited by 42 (0 self)
 Add to MetaCart
Abstract. We consider the problem of defining and achieving plaintextaware encryption without random oracles in the classical publickey model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+INDCPA → INDCCA1 and PA2+INDCPA → INDCCA2. Towards achieving the new notions of plaintext awareness, we show that a scheme due to Damg˚ard [12], denoted DEG, and the “lite ” version of the CramerShoup scheme [11], denoted CSlite, are both PA0 under the DHK0 assumption of [12], and PA1 under an extension of this assumption called DHK1. As a result, DEG is the most efficient proven INDCCA1 scheme known. 1
On Monotone Formula Closure of SZK
, 1994
"... We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that i ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
We investigate structural properties of statistical zero knowledge (SZK) both in the interactive and in the noninteractive model. Specifically, we look into the closure properties of SZK languages under monotone logical formula composition. This gives rise to new protocol techniques. We show that interactive SZK for random self reducible languages (RSR) (and for coRSR) is closed under monotone boolean operations. Namely, we give SZK proofs for monotone boolean formulae whose atoms are statements about an SZK language which is RSR (or a complement of RSR). All previously known languages in SZK are in these classes. We then show that if a language L has a noninteractive SZK proof system then honestverifier interactive SZK proof systems exist for all monotone boolean formulae whose atoms are statements about the complement of L. We also discuss extensions and generalizations. 1 Introduction Goldwasser, Micali, and Rackoff [34] introduced the notion of a zeroknowledge proof, a proof ...
A Simpler Construction of CCA2Secure PublicKey Encryption Under General Assumptions
, 2004
"... ..."
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
Threshold Cryptosystems Secure against ChosenCiphertext Attacks
 IN PROC. OF ASIACRYPT
, 2000
"... Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving INDCCA. Both are El Gamallike schemes and thus are based on the same intractability assumption, namely the Decisional DiffieHellman problem. In this article we rehabilitate the twinencryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) INDCPA scheme into a (threshold) INDCCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosenciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.
Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer
, 1999
"... We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup phase. ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
We present a new and very simple commitment scheme that does not depend on any assumptions about computational complexity; the Sender and Receiver may both be computationally unbounded. Instead, the scheme utilizes a "trusted initializer " who participates only in an initial setup phase. The scheme also utilizes private channels between each pair of parties. The Sender is able to easily commit to a large value; the scheme is not just a "bitcommitment " scheme. We also observe that 1outofn oblivious transfer is easily handled in the same model, using a simple OT protocol due to Bennett et al.[2].
Threshold passwordauthenticated key exchange
 In CRYPTO 2002 (LNCS 2442
, 2002
"... Abstract. In most passwordauthenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a oneway function of the password (and possibly a salt, or other public values), rat ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
Abstract. In most passwordauthenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a oneway function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user’s password. In this paper we propose an efficient passwordauthenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision DiffieHellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers. 1