Results 1  10
of
59
Secure Integration of Asymmetric and Symmetric Encryption Schemes
, 1999
"... This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense  indistinguishability against adaptive chosenciphertext attacks in the random oracle model. In particular, this convers ..."
Abstract

Cited by 171 (9 self)
 Add to MetaCart
This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense  indistinguishability against adaptive chosenciphertext attacks in the random oracle model. In particular, this conversion can be applied efficiently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.
HMQV: A HighPerformance Secure DiffieHellman Protocol
 Protocol, Advances in Cryptology — CRYPTO ’05, LNCS 3621
, 2005
"... The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a ..."
Abstract

Cited by 112 (2 self)
 Add to MetaCart
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying "the next generation cryptography to protect US government information".
How to Enhance the Security of PublicKey Encryption at Minimum Cost
, 1999
"... This paper presents a simple and generic conversion from a publickey encryption scheme which is indistinguishable against chosenplaintext attacks into a publickey encryption scheme which is indistinguishable against adaptive chosenciphertext attacks in the random oracle model. The scheme obtained ..."
Abstract

Cited by 78 (8 self)
 Add to MetaCart
This paper presents a simple and generic conversion from a publickey encryption scheme which is indistinguishable against chosenplaintext attacks into a publickey encryption scheme which is indistinguishable against adaptive chosenciphertext attacks in the random oracle model. The scheme obtained by the conversion is as efficient as the original encryption scheme and the security reduction is very tight in the exact security manner.
On the Existence of 3Round ZeroKnowledge Protocols
 In Crypto98, Springer LNCS 1462
, 1999
"... In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3ro ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
In this paper, we construct a 3round zeroknowledge protocol for any NP language. Our protocol achieves weaker notions of zeroknowledge than blackbox simulation zeroknowledge. Therefore, our result does not contradict the triviality result of Goldreich and Krawczyk [GoKr96] which shows that 3round blackbox simulation zeroknowledge exist only for BPP languages. Our main contribution is to provide a nonblackbox simulation technique. Whether there exists such a simulation technique was a major open problem in the theory of zeroknowledge. Our simulation technique is based on a nonstandard computational assumption related to the Di#eHellman problem, which was originally proposed by Damgard [Da91]. This assumption, which we call the DA1, says that, given randomly chosen instance of the discrete logarithm problem (p, q, g, g a ), it is infeasible to compute (B, X) such that X = B a mod p without knowing the value b satisfying B = g b mod p. Our protocol achieves di#erent no...
Towards plaintextaware publickey encryption without random oracles
 Advances in Cryptology – Asiacrypt 2004, volume 3329 of Lecture Notes in Computer Science
, 2004
"... Abstract. We consider the problem of defining and achieving plaintextaware encryption without random oracles in the classical publickey model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+INDCPA → INDCCA1 and PA2+INDCPA → INDCCA2 ..."
Abstract

Cited by 42 (0 self)
 Add to MetaCart
Abstract. We consider the problem of defining and achieving plaintextaware encryption without random oracles in the classical publickey model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+INDCPA → INDCCA1 and PA2+INDCPA → INDCCA2. Towards achieving the new notions of plaintext awareness, we show that a scheme due to Damg˚ard [12], denoted DEG, and the “lite ” version of the CramerShoup scheme [11], denoted CSlite, are both PA0 under the DHK0 assumption of [12], and PA1 under an extension of this assumption called DHK1. As a result, DEG is the most efficient proven INDCCA1 scheme known. 1
Advances in Cryptographic Voting Systems
, 2006
"... Democracy depends on the proper administration of popular elections. Voters should receive assurance that their intent was correctly captured and that all eligible votes were correctly tallied. The election system as a whole should ensure that voter coercion is unlikely, even when voters are willing ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
Democracy depends on the proper administration of popular elections. Voters should receive assurance that their intent was correctly captured and that all eligible votes were correctly tallied. The election system as a whole should ensure that voter coercion is unlikely, even when voters are willing to be influenced. These conflicting requirements present a significant challenge: how can voters receive enough assurance to trust the election result, but not so much that they can prove to a potential coercer how they voted? This dissertation explores cryptographic techniques for implementing verifiable, secretballot elections. We present the power of cryptographic voting, in particular its ability to successfully achieve both verifiability and ballot secrecy, a combination that cannot be achieved by other means. We review a large portion of the literature on cryptographic voting. We propose three novel technical ideas: 1. a simple and inexpensive paperbase cryptographic voting system with some interesting advantages over existing techniques, 2. a theoretical model of incoercibility for human voters with their inherent limited computational ability, and a new ballot casting system that fits the new definition, and
Immunizing Public Key Cryptosystems against Chosen Ciphertext Attacks
, 1993
"... This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the exact objec ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the exact object ciphertext to be cryptanalyzed. The first strengthening method is based on the use of oneway hash functions, the second on the use of universal hash functions and the third on the use of digital signature schemes. Each method is illustrated by an example of a public key cryptosystem based on the intractability of computing discrete logarithms in finite fields. Security of the three example cryptosystems is formally proved. Two other issues, namely applications of the methods to public key cryptosystems based on other intractable problems and enhancement of information authentication capability to the cryptosystems, are also discussed. 1 Introduction A considerable amount of research has ...
Perfect nizk with adaptive soundness
 In proceedings of TCC ’07, LNCS series
, 2007
"... Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with statistical or even perfect ZK? Groth, Ostrovsky and Sahai recently answered this question in the affirmative. However, in order to achieve adaptive soundness, i.e., soundness against dishonest provers who may choose the target statement depending on the common reference string (CRS), their schemes require some restriction to be put upon the statements to be proven, e.g. an apriori bound on its size. In this work, we first present a very simple and efficient adaptivelysound perfect NIZK argument system for any NPlanguage. Besides being the first adaptivelysound statistical NIZK argument for all NP that does not pose any restriction on the statements to be proven, it enjoys a number of additional desirable properties: it allows to reuse the CRS, it can handle arithmetic circuits, and the CRS can be setup very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NPreductions. The security of the proposed schemes is based on a strong nonstandard assumption, an extended version of the socalled KnowledgeofExponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonlyused approach for proving NIZK arguments sound does not allow for adaptivelysound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the nonstandard assumption in a preprocessing model.
From extractable collision resistance to succinct noninteractive arguments of knowledge, and back again
, 2011
"... The existence of succinct noninteractive arguments for NP (i.e., noninteractive computationallysound proofs where the verifier’s work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in ..."
Abstract

Cited by 26 (12 self)
 Add to MetaCart
The existence of succinct noninteractive arguments for NP (i.e., noninteractive computationallysound proofs where the verifier’s work is essentially independent of the complexity of the NP nondeterministic verifier) has been an intriguing question for the past two decades. Other than CS proofs in the random oracle model [Micali, FOCS ’94], the only existing candidate construction is based on an elaborate assumption that is tailored to a specific protocol [Di Crescenzo and Lipmaa, CiE ’08]. We formulate a general and relatively natural notion of an extractable collisionresistant hash function (ECRH) and show that, if ECRHs exist, then a modified version of Di Crescenzo and Lipmaa’s protocol is a succinct noninteractive argument for NP. Furthermore, the modified protocol is actually a succinct noninteractive adaptive argument of knowledge (SNARK). We then propose several candidate constructions for ECRHs and relaxations thereof. We demonstrate the applicability of SNARKs to various forms of delegation of computation, to succinct noninteractive zero knowledge arguments, and to succinct twoparty secure computation. Finally, we show that SNARKs essentially imply the existence of ECRHs, thus demonstrating the necessity of
Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks
 In Advances in Cryptology–Crypto ’92
, 1992
"... Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the e ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
Abstract. This paper presents three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertexts, except for the exact object ciphertext to be cryptanalyzed. The rst strengthening method is based on the use of oneway hash functions, the second on the use of universal hash functions and the third on the use of digital signature schemes. Each method is illustrated by an example ofapublickey cryptosystem based on the intractability ofcomputing discrete logarithms in nite elds. Two other issues, namely applications of the methods to public key cryptosystems based on other intractable problems and enhancement of information authentication capability to the cryptosystems, are also discussed. 1