Results 1  10
of
29
Privacypreserving set operations
 in Advances in Cryptology  CRYPTO 2005, LNCS
, 2005
"... In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacypreserving computation; that is, no part ..."
Abstract

Cited by 100 (0 self)
 Add to MetaCart
In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacypreserving computation; that is, no party learns more information about other parties ’ private input sets than what can be deduced from the result. In this paper, we propose efficient techniques for privacypreserving operations on multisets. By employing the mathematical properties of polynomials, we build a framework of efficient, secure, and composable multiset operations: the union, intersection, and element reduction operations. We apply these techniques to a wide range of practical problems, achieving more efficient results than those of previous work.
Secure communications over insecure channels based on short authenticated strings
 In Advances in Cryptology (Crypto) (2005
"... Abstract. We propose a way to establish peertopeer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SASbased authentication as for authentication based on Short Authenticated Strings. The extra ch ..."
Abstract

Cited by 86 (2 self)
 Add to MetaCart
Abstract. We propose a way to establish peertopeer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SASbased authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modi£ed, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to publickey infrastructures, since we no longer need any central authority, and to passwordbased authenticated key exchange, since we no longer need to establish a con£dential password. It can be used to establish secure associations in adhoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the useraided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his longterm keys corrupted.
Efficient Mutual Data Authentication Using Manually Authenticated Strings. Cryptology ePrint Archive, Report 2005/424
, 2005
"... Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a ..."
Abstract

Cited by 65 (7 self)
 Add to MetaCart
Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a solution, we propose an asymptotically optimal protocol family for data authentication that uses short manually authenticated outofband messages. Compared to previous articles by Vaudenay and Pasini the results of this paper are more general and based on weaker security assumptions. In addition to providing security proofs for our protocols, we focus also on implementation details and propose practically secure and efficient subprimitives for applications. 1
Perfect noninteractive zero knowledge for NP
 Proceedings of Eurocrypt 2006, volume 4004 of LNCS
, 2006
"... Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a ..."
Abstract

Cited by 39 (3 self)
 Add to MetaCart
Abstract. Noninteractive zeroknowledge (NIZK) proof systems are fundamental cryptographic primitives used in many constructions, including CCA2secure cryptosystems, digital signatures, and various cryptographic protocols. What makes them especially attractive, is that they work equally well in a concurrent setting, which is notoriously hard for interactive zeroknowledge protocols. However, while for interactive zeroknowledge we know how to construct statistical zeroknowledge argument systems for all NP languages, for noninteractive zeroknowledge, this problem remained open since the inception of NIZK in the late 1980's. Here we resolve two problems regarding NIZK: We construct the first perfect NIZK argument system for any NP
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
Universally Composable PasswordBased Key Exchange
 Advances in Cryptology  Eurocrypt 2005, LNCS
, 2005
"... We propose and realize a definition of security for passwordbased key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not ad ..."
Abstract

Cited by 37 (8 self)
 Add to MetaCart
We propose and realize a definition of security for passwordbased key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For instance, our definition does not assume any underlying probability distribution on passwords, nor does it assume independence between passwords chosen by different parties. We also formulate a definition of passwordbased secure channels, and show how to realize such channels given any passwordbased key exchange protocol. The passwordbased key exchange protocol shown here is in the common reference string model and relies on standard numbertheoretic assumptions. The components of our protocol can be instantiated to give a relatively efficient solution which is conceivably usable in practice. We also show that it is impossible to satisfy our definition in the “plain ” model (e.g., without
Secure TwoParty Computation via CutandChoose Oblivious Transfer
 In the 8th TCC, Springer (LNCS 6597
, 2011
"... Protocols for secure twoparty computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of twoparty compu ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
Protocols for secure twoparty computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of twoparty computation secure in the presence of malicious adversaries (where security is proven under the standard simulationbased ideal/real model paradigm for defining security). In this paper, we present a protocol for this task that follows the methodology of using cutandchoose to boost Yao’s protocol to be secure in the presence of malicious adversaries. Relying on specific assumptions (DDH), we construct a protocol that is significantly more efficient and far simpler than the protocol of Lindell and Pinkas (Eurocrypt 2007) that follows the same methodology. We provide an exact, concrete analysis of the efficiency of our scheme and demonstrate that (at least for not very small circuits) our protocol is more efficient than any other known today. secure twoparty computation, malicious adversaries, cutandchoose, concrete effiKeywords: ciency
Private and Threshold SetIntersection
 In Advances in Cryptology – CRYPTO ’05
, 2004
"... In this paper we consider the problem of privately computing the intersection of sets (setintersection), as well as several variations on this problem: cardinality setintersection, threshold setintersection, and overthreshold setintersection. Cardinality setintersection is the problem of deter ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
In this paper we consider the problem of privately computing the intersection of sets (setintersection), as well as several variations on this problem: cardinality setintersection, threshold setintersection, and overthreshold setintersection. Cardinality setintersection is the problem of determining the size of the intersection set, without revealing the actual threshold set. In threshold setintersection, only the elements which appear at least a threshold number t times in the players' private inputs are revealed. Overthreshold setintersection is a variation on threshold setintersection in which not only the threshold set is revealed, but also the number of times each element in the threshold set appeared in the private inputs. We propose protocols that are more...
Sasbased group authentication and key agreement protocols
 In Public Key Cryptography
, 2008
"... Abstract. New trends in consumer electronics have created a strong demand for fast, reliable and userfriendly key agreement protocols. However, many key agreement protocols are secure only against passive attacks. Therefore, message authentication is often unavoidable in order to achieve security a ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. New trends in consumer electronics have created a strong demand for fast, reliable and userfriendly key agreement protocols. However, many key agreement protocols are secure only against passive attacks. Therefore, message authentication is often unavoidable in order to achieve security against active adversaries. Pasini and Vaudenay were the first to propose a new compelling methodology for message authentication. Namely, their twoparty protocol uses short authenticated strings (SAS) instead of preshared secrets or publickey infrastructure that are classical tools to achieve authenticity. In this article, we generalise this methodology for multiparty settings. We give a new group message authentication protocol that utilises only limited authenticated communication and show how to combine this protocol with classical key agreement procedures. More precisely, we describe how to transform any group key agreement protocol that is secure against passive attacks into a new protocol that is secure against active attacks.
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks,” in CRYPTO, 2004. A Cryptographic Assumptions We define the hardness assumptions that we use in the security proof of our optimized
 Similarly, B recovers Wmid(x) and Ymid(x) such that Wmid = Wmid(s) and Ymid = Ymid(s). Then, it sets H(x) = ((v0(x)+V (x))(w0(x)+W(x))−(y0(x)+Y (x)))/t(x), where V (x) = ∑k∈[N] ckvk(x) +Vmid(x) (and similarly for W(x) and Y (x)). Since the
"... Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumpt ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption. 1