Results 1  10
of
60
A hardcore predicate for all oneway functions
 In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing
, 1989
"... Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardc ..."
Abstract

Cited by 356 (5 self)
 Add to MetaCart
Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardcore ” predicates b In this paper we show that every oneof functions (permutations) f, discovered in way function, padded to the form f(p,z) = [Blum Micali $21. Such b ( 5) cannot be effi (P,9(X)), llPl / = 11z//, has bY itself a hardcore ciently guessed (substantially better than SO predicate of the same (within a polynomial) 50) given only f(z). Both b, f are computable security. Namely, we prove a conjecture of in polynomial time. [Levin 87, sec. 5.6.21 that the sca1a.r product [Yao 821 transforms any oneway function of boolean vectors p, x is a hardcore of every f into a more complicated one, f*, which has oneway function f(p, x) = (p,g(x)). The rea hardcore predicate. The construction ap sult extends to multiple (up to the logarithm plies the original f to many small pieces of of security) such bits and to any distribution the input to f * just to get one “hardcore ” on the z’s for which f is hard to invert.
Universal OneWay Hash Functions and their Cryptographic Applications
, 1989
"... We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We ..."
Abstract

Cited by 313 (13 self)
 Add to MetaCart
We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal oneway hash functions exist if any 11 oneway functions exist. Among the various applications of the primitive is a OneWay based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor oneway functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR88 13632. A preliminary version of this work app...
Hardness vs. randomness
 Journal of Computer and System Sciences
, 1994
"... We present a simple new construction of a pseudorandom bit generator, based on the constant depth generators of [N]. It stretches a short string of truly random bits into a long string that looks random to any algorithm from a complexity class C (eg P, NC, PSPACE,...) using an arbitrary function tha ..."
Abstract

Cited by 284 (30 self)
 Add to MetaCart
We present a simple new construction of a pseudorandom bit generator, based on the constant depth generators of [N]. It stretches a short string of truly random bits into a long string that looks random to any algorithm from a complexity class C (eg P, NC, PSPACE,...) using an arbitrary function that is hard for C. This construction reveals an equivalence between the problem of proving lower bounds and the problem of generating good pseudorandom sequences. Our construction has many consequences. The most direct one is that efficient deterministic simulation of randomized algorithms is possible under much weaker assumptions than previously known. The efficiency ofthe simulations depends on the strength of the assumptions, and may achieve P =BPP. Webelieve that our results are very strong evidence that the gap between randomized and deterministic complexity is not large. Using the known lower bounds for constant depth circuits, our construction yields an unconditionally proven pseudorandom generator for constant depth circuits. As an application of this generator we characterize the power of NP with a random oracle. 1.
Dynamic accumulators and application to efficient revocation of anonymous credentials
 http://eprint.iacr.org/2001, 2001. Jan Camenisch and Anna Lysyanskaya
"... Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value ..."
Abstract

Cited by 168 (11 self)
 Add to MetaCart
Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dynamic accumulator and an efficient zeroknowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA assumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.
CollisionFree Accumulators and FailStop Signature Schemes Without Trees
, 1997
"... . Oneway accumulators, introduced by Benaloh and de Mare, can be used to accumulate a large number of values into a single one, which can then be used to authenticate every input value without the need to transmit the others. However, the oneway property does is not sufficient for all applications ..."
Abstract

Cited by 164 (0 self)
 Add to MetaCart
. Oneway accumulators, introduced by Benaloh and de Mare, can be used to accumulate a large number of values into a single one, which can then be used to authenticate every input value without the need to transmit the others. However, the oneway property does is not sufficient for all applications. In this paper, we generalize the definition of accumulators and define and construct a collisionfree subtype. As an application, we construct a failstop signature scheme in which many onetime public keys are accumulated into one short public key. In contrast to previous constructions with tree authentication, the length of both this public key and the signatures can be independent of the number of messages that can be signed. 1 Introduction The security of digital signature schemes depends on socalled computational assumptions, e.g., the factoring assumption. If somebody can break the assumption on which the system is based, and if he can therefore get the private key of the signer, h...
Secure hashandsign signatures without the random oracle
, 1999
"... We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the ..."
Abstract

Cited by 121 (9 self)
 Add to MetaCart
We present a new signature scheme which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture. This scheme is not based on "signature trees", and instead it uses the so called "hashandsign" paradigm. It is unique in that the assumptions made on the cryptographic hash function in use are well defined and reasonable (although nonstandard). In particular, we do not model this function as a random oracle. We construct our proof of security in steps. First we describe and prove a construction which operates in the random oracle model. Then we show that the random oracle in this construction can be replaced by a hash function which satisfies some strong (but well defined!) computational assumptions. Finally,we demonstrate that these assumptions are reasonable, by proving that a function satisfying them exists under standard intractability assumptions.
Oneway accumulators: A decentralized alternative to digital signatures
, 1993
"... Abstract. This paper describes a simple candidate oneway hash function which satisfies a quasicommutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Spaceefficient distr ..."
Abstract

Cited by 114 (0 self)
 Add to MetaCart
Abstract. This paper describes a simple candidate oneway hash function which satisfies a quasicommutative property that allows it to be used aa an accumulator. This property allows protocols to be developed in which the need for a trusted central authority can be eliminated. Spaceefficient distributed protocols are given for document time stamping and for membership testing, and many other applications are possible. 1
Randomness vs. Time: Derandomization under a uniform assumption
 Journal of Computer and System Sciences
, 1998
"... We prove that if BPP 6= EXP, then every problem in BPP can be solved deterministically in subexponential time on almost every input ( on every samplable ensemble for infinitely many input sizes). This is the first derandomization result for BPP based on uniform, noncryptographic hardness assumptions ..."
Abstract

Cited by 75 (11 self)
 Add to MetaCart
We prove that if BPP 6= EXP, then every problem in BPP can be solved deterministically in subexponential time on almost every input ( on every samplable ensemble for infinitely many input sizes). This is the first derandomization result for BPP based on uniform, noncryptographic hardness assumptions. It implies the following gap in the averageinstance complexities of problems in BPP : either these complexities are always subexponential or they contain arbitrarily large exponential functions. We use a construction of a small "pseudorandom " set of strings from a "hard function" in EXP which is identical to that used in the analogous nonuniform results of [21, 3]. However, previous proofs of correctness assume the "hard function" is not in P=poly. They give a nonconstructive argument that a circuit distinguishing the pseudorandom strings from truly random strings implies that a similarlysized circuit exists computing the "hard function". Our main technical contribution is to show ...
Forwardsecure signatures with optimal signing and verifying
, 2001
"... Abstract. We propose the first forwardsecure signature scheme for which both signing and verifying are as efficient as for one of the most efficient ordinary signature schemes (GuillouQuisquater [GQ88]), each requiring just two modular exponentiations with a short exponent. All previously proposed ..."
Abstract

Cited by 65 (4 self)
 Add to MetaCart
Abstract. We propose the first forwardsecure signature scheme for which both signing and verifying are as efficient as for one of the most efficient ordinary signature schemes (GuillouQuisquater [GQ88]), each requiring just two modular exponentiations with a short exponent. All previously proposed forwardsecure signature schemes took significantly longer to sign and verify than ordinary signature schemes. Our scheme requires only fractional increases to the sizes of keys and signatures, and no additional public storage. Like the underlying [GQ88] scheme, our scheme is provably secure in the random oracle model. 1
An Efficient Existentially Unforgeable Signature Scheme and its Applications
 Journal of Cryptology
, 1994
"... A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) fo ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
A signature scheme is existentially unforgeable if, given any polynomial (in the security parameter) number of pairs (m 1 ; S(m 1 )); (m 2 ; S(m 2 )); : : : (m k ; S(m k )) where S(m) denotes the signature on the message m, it is computationally infeasible to generate a pair (m k+1 ; S(m k+1 )) for any message m k+1 = 2 fm 1 ; : : : m k g. We present an existentially unforgeable signature scheme that for a reasonable setting of parameters requires at most 6 times the amount of time needed to generate a signature using "plain" RSA (which is not existentially unforgeable). We point out applications where our scheme is desirable. Preliminary version appeared in Crypto'94 y IBM Research Division, Almaden Research Center, 650 Harry Road, San Jose, CA 95120. Research supported by a BSF Grant 32000321. Email: dwork@almaden.ibm.com. z Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Re...