Results 1  10
of
82
Limits on the Provable Consequences of Oneway Permutations
, 1989
"... We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new m ..."
Abstract

Cited by 162 (0 self)
 Add to MetaCart
We present strong evidence that the implication, "if oneway permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where dl parties have access to a black box or a randomly selected permutation. Being totally random, this permutation will be strongly oneway in provable, informationthevretic way. We show that, if P = NP, no protocol for secret key agreement is secure in such setting. Thus, to prove that a secret key greement protocol which uses a oneway permutation as a black box is secure is as hrd as proving F NP. We also obtain, as corollary, that there is an oracle relative to which the implication is false, i.e., there is a oneway permutation, yet secretexchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any oneway permutation. Our results present a general framework for proving statements of the form, "Cryptographic application X is not likely possible based solely on complexity assumption Y." 1
A cryptographic solution to a game theoretic problem
 In CRYPTO 2000: 20th International Cryptology Conference
, 2000
"... Abstract. In this work we use cryptography to solve a gametheoretic problem which arises naturally in the area of two party strategic games. The standard gametheoretic solution concept for such games is that of an equilibrium, which is a pair of “selfenforcing ” strategies making each player’s st ..."
Abstract

Cited by 61 (1 self)
 Add to MetaCart
Abstract. In this work we use cryptography to solve a gametheoretic problem which arises naturally in the area of two party strategic games. The standard gametheoretic solution concept for such games is that of an equilibrium, which is a pair of “selfenforcing ” strategies making each player’s strategy an optimal response to the other player’s strategy. It is known that for many games the expected equilibrium payoffs can be much higher when a trusted third party (a “mediator”) assists the players in choosing their moves (correlated equilibria), than when each player has to choose its move on its own (Nash equilibria). It is natural to ask whether there exists a mechanism that eliminates the need for the mediator yet allows the players to maintain the high payoffs offered by mediatorassisted strategies. We answer this question affirmatively provided the players are computationally bounded and can have free communication (socalled “cheap talk”) prior to playing the game. The main building block of our solution is an efficient cryptographic protocol to the following Correlated Element Selection problem, which is of independent interest. Both Alice and Bob know a list of pairs (a1, b1)... (an, bn) (possibly with repetitions), and they want to pick a random index i such that Alice learns only ai and Bob learns only bi. Our solution to this problem has constant number of rounds, negligible error probability, and uses only very simple zeroknowledge proofs. We then show how to incorporate our cryptographic protocol back into a gametheoretic setting, which highlights some interesting parallels between cryptographic protocols and extensive form games. 1
Robust Efficient Distributed RSAKey Generation
"... We solve a central open problem in distributed cryptography, that of robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test "circuit size", while a robust protocol allows correct completion even in the presence of a minority of ar ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
We solve a central open problem in distributed cryptography, that of robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test "circuit size", while a robust protocol allows correct completion even in the presence of a minority of arbitrarily misbehaving malicious parties. Our protocol is shown to be secure against any minority of malicious parties (which is optimal). The above problem was mentioned in various works in the last decade and most recently by Boneh and Franklin [BF97]. The solution is a crucial step in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities) , as well as other applications besides RSA (namely: composite ElGamal, identification schemes, simultaneous bit exchange, etc.). Of special interest is the fact that the solution can be combined with recent proactive function sharing tec...
Concurrent ZeroKnowledge: Reducing the Need for Timing Constraints
 In Crypto98, Springer LNCS 1462
, 1998
"... Abstract. An interactive proof system (or argument) (P, V)isconcurrent zeroknowledge if whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers V1,...,Vpoly(n), the entire undertaking is zeroknowledge. D ..."
Abstract

Cited by 52 (7 self)
 Add to MetaCart
Abstract. An interactive proof system (or argument) (P, V)isconcurrent zeroknowledge if whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers V1,...,Vpoly(n), the entire undertaking is zeroknowledge. Dwork, Naor, and Sahai recently showed the existence of a large class of concurrent zeroknowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nonfaulty processors. In this paper, we continue the study of concurrent zeroknowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zeroknowledge arguments (again including arguments for all of NP), we design a preprocessing protocol protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zeroknowledge. Once a particular prover and verifier have executed the preprocessing protocol protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zeroknowledge. 1
Detection and, prevention of mac layer misbehavior for ad hoc networks
, 2004
"... Selfish behavior at the MAC layer can have devastating side effects on the performance of wireless networks, similar to the effects of DoS attacks. In this paper we focus on the prevention and detection of the manipulation of the backoff mechanism by selfish nodes in 802.11. We first propose an algo ..."
Abstract

Cited by 37 (8 self)
 Add to MetaCart
Selfish behavior at the MAC layer can have devastating side effects on the performance of wireless networks, similar to the effects of DoS attacks. In this paper we focus on the prevention and detection of the manipulation of the backoff mechanism by selfish nodes in 802.11. We first propose an algorithm to ensure honest backoffs when at least one, either the receiver or the sender is honest. Then we discuss detection algorithms to deal with the problem of colluding selfish nodes. Although we have focused on the MAC layer of 802.11, our approach is general and can serve as a guideline for the design of any probabilistic distributed MAC protocol.
Limits on the Provable Consequences of Oneway Functions
, 1989
"... This technical point will prevent the reader from suspecting any measuretheoretic fallacy. ..."
Abstract

Cited by 32 (1 self)
 Add to MetaCart
This technical point will prevent the reader from suspecting any measuretheoretic fallacy.
Optimistic Protocols for MultiParty Fair Exchange
, 1996
"... We describe a generic protocol for fair multiparty exchange of electronic goods over unreliable networks with nonrepudiation, where goods are either signatures (i.e., nonrepudiation tokens of public data), confidential data, or payments. The protocol does not involve a third party except for rec ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
We describe a generic protocol for fair multiparty exchange of electronic goods over unreliable networks with nonrepudiation, where goods are either signatures (i.e., nonrepudiation tokens of public data), confidential data, or payments. The protocol does not involve a third party except for recovery over a reliable network.
EnergyEfficient LinkLayer Jamming Attacks against Wireless . . .
 WIRELESS SENSOR NETWORK MAC PROTOCOLS SANS’05
, 2005
"... ..."
Logics for Reasoning about Cryptographic Constructions
 In Proc. 44th IEEE Symposium on Foundations of Computer Science
, 2003
"... We present two logical systems for reasoning about cryptographic constructions which are sound with respect to standard cryptographic definitions of security. Soundness of the first system is proved using techniques from nonstandard models of arithmetic. Soundness of the second system is proved by ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
We present two logical systems for reasoning about cryptographic constructions which are sound with respect to standard cryptographic definitions of security. Soundness of the first system is proved using techniques from nonstandard models of arithmetic. Soundness of the second system is proved by an interpretation into the first system. We also present examples of how these systems may be used to formally prove the correctness of some elementary cryptographic constructions.