Results 1  10
of
17
NonMalleable Cryptography
 SIAM Journal on Computing
, 2000
"... The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. ..."
Abstract

Cited by 448 (22 self)
 Add to MetaCart
The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zeroknowledge proofs of possession of knowledge. Nonmalleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.
Universal OneWay Hash Functions and their Cryptographic Applications
, 1989
"... We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We ..."
Abstract

Cited by 313 (13 self)
 Add to MetaCart
We define a Universal OneWay Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal oneway hash functions exist if any 11 oneway functions exist. Among the various applications of the primitive is a OneWay based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor oneway functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR88 13632. A preliminary version of this work app...
Publickey Cryptosystems Provably Secure against Chosen Ciphertext Attacks
 In Proc. of the 22nd STOC
, 1995
"... We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure ..."
Abstract

Cited by 249 (15 self)
 Add to MetaCart
We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Email: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...
How to Timestamp a Digital Document
 Journal of Cryptology
, 1991
"... The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to timestamp the data, not the medium. We propose computationally practical ..."
Abstract

Cited by 202 (3 self)
 Add to MetaCart
The prospect of a world in which all text, audio, picture, and video documents are in digital form on easily modifiable media raises the issue of how to certify when a document was created or last changed. The problem is to timestamp the data, not the medium. We propose computationally practical procedures for digital timestamping of such documents so that it is infeasible for a user either to backdate or to forwarddate his document, even with the collusion of a timestamping service. Our procedures maintain complete privacy of the documents themselves, and require no recordkeeping by the timestamping service. Appeared, with minor editorial changes, in Journal of Cryptology, Vol. 3, No. 2, pp. 99111, 1991. 0 Time's glory is to calm contending kings, To unmask falsehood, and bring truth to light, To stamp the seal of time in aged things, To wake the morn, and sentinel the night, To wrong the wronger till he render right. The Rape of Lucrece, l. 941 1 Introduction ...
Oneway functions are necessary and sufficient for secure signatures
, 1990
"... Much research in theoretical cryptography has been centered around finding the weakest possible cryptographic assumptions required to implement major primitives. Ever since Diffie and Hellman first suggested that modern ..."
Abstract

Cited by 197 (0 self)
 Add to MetaCart
Much research in theoretical cryptography has been centered around finding the weakest possible cryptographic assumptions required to implement major primitives. Ever since Diffie and Hellman first suggested that modern
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage
, 1998
"... Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For ..."
Abstract

Cited by 183 (12 self)
 Add to MetaCart
Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For longlived and sensitive secrets this protection may be insufficient. We propose an efficient proactive secret sharing scheme, where shares are periodically renewed (without changing the secret) in such a way that information gained by the adversary in one time period is useless for attacking the secret after the shares are renewed. Hence, the adversary willing to learn the secret needs to break to all k locations during the same time period (e.g., one day, a week, etc.). Furthermore, in order to guarantee the availability and integrity of the secret, we provide mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct...
On cryptographic assumptions and challenges
 in Proceedings of IACR CRYPTO
, 2003
"... Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outco ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
Abstract. We deal with computational assumptions needed in order to design secure cryptographic schemes. We suggest a classi£cation of such assumptions based on the complexity of falsifying them (in case they happen not to be true) by creating a challenge (competition) to their validity. As an outcome of this classi£cation we propose several open problems regarding cryptographic tasks that currently do not have a good challenge of that sort. The most outstanding one is the design of an ef£cient block ciphers. 1 The Main Dilemma Alice and Bob are veteran cryptographers (see Dif£e [15] for their history; apparently RSA [38] is their £rst cooperation). One day, while Bob is sitting in his of£ce his colleague Alice enters and says: “I have designed a new signature scheme. It has an 120 bits long public key and the signatures are 160 bits long”. That’s fascinating, says Bob, but what computational assumption is it based on? Well, says Alice, it is based on a new trapdoor permutation fk and a new hash function h and the assumption that after given fk (but not the trapdoor information) and many pairs of the form (mi, f −1
Deniable Ring Authentication
 In Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Si ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Signatures (see Rivest, Shamir and Tauman [38]). In this paper we show how to combine these notions and achieve Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad hoc subset of participants (a ring) is authenticating a message m without revealing which one (source hiding), and the verifier V cannot convince a third party that message m was indeed authenticated – there is no ‘paper trail ’ of the conversation, other than what could be produced by V alone, as in zeroknowledge. We provide an efficient protocol for deniable ring authentication based on any strong encryption scheme. That is once an entity has published a publickey of such an encryption system, it can be drafted to any such ring. There is no need for any other cryptographic primitive. The scheme can be extended to yield threshold authentication (e.g. at least k members of the ring are approving the message) as well. 1
PublicKey Cryptography and Password Protocols: The MultiUser Case
 In CCS ’99: Proceedings of the 6th ACM conference on Computer and communications security
, 1999
"... The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in whi ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
The problem of password authentication over an insecure network when the user holds only a humanmemorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied offline password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: ffl Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the twouser case. ffl Propose a new definition of security for the multiuser case, expressed in terms of transcripts of the entire system, rather than individual protocol executions. ffl Suggest several ways of achieving this security against both static and dynamic adversaries. In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multiuser case. We expose a weakness in their revised definition. 1
Towards Provably Secure Efficient Electronic Cash (Extended Abstract)
, 1992
"... An "electronic coin scheme" as defined by Chaum, Fiat, and Naor [5] is a collection of protocols to achieve untraceable, unforgeable coins with offline purchasing; this is the minimum set of properties to make electronic money useful. We give a new electronic coin scheme that is simple and practical ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
An "electronic coin scheme" as defined by Chaum, Fiat, and Naor [5] is a collection of protocols to achieve untraceable, unforgeable coins with offline purchasing; this is the minimum set of properties to make electronic money useful. We give a new electronic coin scheme that is simple and practical. Withdrawal requires only two rounds of interaction, while purchase and deposit are noninteractive; all previous efficient cash schemes require interaction (cutandchoose) for purchases. Moreover, messages during purchase and deposit contain only a few encrypted values, independent of the tolerable probability of cheating. We present a security model for electronic coins, and prove the security of our scheme relative to certain specific cryptographic assumptions (hardness of Discrete Log and possibility of secure blind signature). TR CUCS01892 Partially supported by an AT&T Bell Laboratories Scholarship 1 Introduction Six desirable properties of electronic money are stated by Okamo...