Results 11  20
of
60
Efficient Consistency Proofs for Generalized Queries on Committed Database
, 2004
"... A consistent query protocol (CQP) allows a database owner to publish a very short string c which commits her and everybody else to a particular database D, so that any copy of the database can later be used to answer queries and give short proofs that the answers are consistent with the commitmen ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
A consistent query protocol (CQP) allows a database owner to publish a very short string c which commits her and everybody else to a particular database D, so that any copy of the database can later be used to answer queries and give short proofs that the answers are consistent with the commitment c.
On cryptography with auxiliary input
 DKL09] [DS05] [FGK+ 10] [FOR12] [GHV10
, 2009
"... We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more tr ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more traditional setting, which assumes that some of information about the secret key sk may be leaked, but sk still has high minentropy left. In particular, we deal with situations where f(sk) informationtheoretically determines the entire secret key sk. As our main result, we construct CPA/CCA secure symmetric encryption schemes that remain secure with exponentially hardtoinvert auxiliary input. We give several applications of such schemes. • We construct an averagecase obfuscator for the class of point functions, which remains secure with exponentially hardtoinvert auxiliary input, and is reusable. • We construct a reusable and robust extractor that remains secure with exponentially hardtoinvert auxiliary input. Our results rely on a new cryptographic assumption, Learning SubspacewithNoise (LSN), which is related to the well known Learning ParitywithNoise (LPN) assumption.
Pseudorandom function tribe ensembles based on oneway permutations: Improvements and applications
 In Advances in Cryptology { EUROCRYPT '99, Lecture Notes in Computer Science
, 1999
"... Abstract. Pseudorandom function tribe ensembles are pseudorandom function ensembles that have an additional collision resistance property: almost all functions have disjoint ranges. We present an alternative to the construction of pseudorandom function tribe ensembles based on oneway permutations gi ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Pseudorandom function tribe ensembles are pseudorandom function ensembles that have an additional collision resistance property: almost all functions have disjoint ranges. We present an alternative to the construction of pseudorandom function tribe ensembles based on oneway permutations given by Canetti, Micciancio and Reingold [7]. Our approach yields two different but related solutions: One construction is somewhat theoretic, but conceptually simple and therefore gives an easier proof that oneway permutations suffice to construct pseudorandom function tribe ensembles. The other, slightly more complicated solution provides a practical construction; it starts with an arbitrary pseudorandom function ensemble and assimilates the oneway permutation to this ensemble. Therefore, the second solution inherits important characteristics of the underlying pseudorandom function ensemble: it is almost as efficient and if the starting pseudorandom function ensemble is invertible then so is the derived tribe ensemble. We also show that the latter solution yields socalled committing privatekey encryption schemes. i.e., where each ciphertext corresponds to exactly one plaintext — independently of the choice of the secret key or the random bits used in the encryption process. 1
Securely Obfuscating Reencryption
 Theory of Cryptography Conference TCC
, 2007
"... We present a positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to wellknown impossibility results [3] for general obfuscation and recent impossibility and improbability [13] results for obfuscation of many cryptographic functionalitie ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We present a positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to wellknown impossibility results [3] for general obfuscation and recent impossibility and improbability [13] results for obfuscation of many cryptographic functionalities. Whereas other positive obfuscation results in the standard model apply to very simple point functions, our obfuscation result applies to the significantly more complex and widelyused reencryption functionality. This functionality takes a ciphertext for message m encrypted under Alice’s public key and transforms it into a ciphertext for the same message m under Bob’s public key. To overcome impossibility results and to make our results meaningful for cryptographic functionalities, our scheme satisfies a definition of obfuscation which incorporates more securityaware provisions.
Analysis of random oracle instantiation scenarios for OAEP and other practical schemes
 CRYPTO 2005, volume 3621 of LNCS
, 2005
"... www.fischlin.de ..."
The provable security of graphbased onetime signatures and extensions to algebraic signature schemes
 Advances in Cryptology – ASIACRYPT 2002
, 2002
"... Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. Essentially all known onetime signature schemes can be described as special instances of a general scheme suggested by Bleichenbacher and Maurer based on “graphs of oneway functions”. Bleichenbacher and Maurer thoroughly analyze graph based signatures from a combinatorial point of view, studying the graphs that result in the most efficient schemes (with respect to various efficiency measures, but focusing mostly on key generation time). However, they do not give a proof of security of their generic construction, and they leave open the problem of determining under what assumption security can be formally proved. In this paper we analyze graph based signatures from a security point of view and give sufficient conditions that allow to prove the security of the signature scheme in the standard complexity model (no random oracles). The techniques used to prove the security of graph based onetime signatures are then applied to the construction of a new class of algebraic signature schemes, i.e., schemes where signatures can be combined with a restricted set of operations. 1
CorrelatedInput Secure Hash Functions
"... Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. We undertake a general study of hash functions secure under correlated inputs, meaning that security should be maintained when the adversary sees hash values of many related highentropy inputs. Such a property is satisfied by a random oracle, and its importance is illustrated by study of the “avalanche effect, ” a wellknown heuristic in cryptographic hash function design. One can interpret “security ” in different ways: e.g., asking for onewayness or that the hash values look uniformly and independently random; the latter case can be seen as a generalization of correlationrobustness introduced by Ishai et al. (CRYPTO 2003). We give specific applications of these notions to passwordbased login and efficient search on encrypted data. Our main construction achieves them (without random oracles) for inputs related by polynomials over the input space (namely Zp), based on corresponding variants of the qDiffie Hellman Inversion assumption. Additionally, we show relations between correlatedinput secure hash functions and cryptographic primitives secure under relatedkey attacks. Using our techniques, we are also able to obtain a host of new results for such relatedkey attack secure cryptographic primitives. 1
Virtual BlackBox Obfuscation for All Circuits via Generic Graded Encoding
"... We present a new generalpurpose obfuscator for all polynomialsize circuits. The obfuscator uses graded encoding schemes, a generalization of multilinear maps. We prove that the obfuscator exposes no more information than the program’s blackbox functionality, and achieves virtual blackbox securit ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We present a new generalpurpose obfuscator for all polynomialsize circuits. The obfuscator uses graded encoding schemes, a generalization of multilinear maps. We prove that the obfuscator exposes no more information than the program’s blackbox functionality, and achieves virtual blackbox security, in the generic graded encoded scheme model. This proof is under the Bounded Speedup Hypothesis (BSH, a plausible worstcase complexitytheoretic assumption related to the Exponential Time Hypothesis), in addition to standard cryptographic assumptions. We also show that the weaker notion of indistinguishability obfuscation can be achieved without BSH. Very recently, Garg et al. (FOCS 2013) used graded encoding schemes to present a candidate obfuscator for indistinguishability obfuscation. They posed the problem of constructing a provably secure indistinguishability obfuscator in the generic graded encoding scheme model. Our obfuscator resolves this problem. Indeed, under BSH it achieves the stronger notion of virtual black box security, which is our focus in this work. Our construction is different from that of Garg et al., but is inspired by it, in particular by their use of permutation branching programs. We obtain our obfuscator by developing techniques used to obfuscate dCNF formulas (ePrint 2013), and applying them to permutation branching programs. This yields an obfuscator for the complexity class N C 1. We then use homomorphic encryption to obtain an obfuscator for any polynomialsize circuit. 1
Obfuscating Point Functions with Multibit Output
 In EUROCRYPT 2008
"... Abstract. We study obfuscation of point functions with multibit output and other related functions. A point function with multibit output returns a string on a single input point and zero everywhere else. We provide a construction that obfuscates these functions. The construction is generic in the s ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Abstract. We study obfuscation of point functions with multibit output and other related functions. A point function with multibit output returns a string on a single input point and zero everywhere else. We provide a construction that obfuscates these functions. The construction is generic in the sense that it can use any perfectly oneway (POW) function or obfuscator for point functions. Analyzing this construction reveals gaps in the definition of obfuscation, specifically, that it does not guarantee security even under selfcomposition, a property needed in our analysis. Thus, we use obfuscation secure under composition. In particular, we show that composable obfuscation of multibit point functions exists if and only if composable obfuscation of point functions exists. Moreover, we show that this construction is secure based on statistically indistinguishable POW functions. However, if we relax the assumption to computational indistinguishability, then the construction satisfies a weaker notion of obfuscation. Finally, the same technique can be used to obfuscate setmembership predicates and functions, for polynomialsize sets.
On the security of OAEP
 In Advances in Cryptology – ASIACRYPT ’06, volume 4284 of LNCS
, 2006
"... Currently, the best and only evidence of the security of the OAEP encryption scheme is a proof in the contentious random oracle model. Here we give further arguments in support of the security of OAEP. We first show that partial instantiations, where one of the two random oracles used in OAEP is ins ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Currently, the best and only evidence of the security of the OAEP encryption scheme is a proof in the contentious random oracle model. Here we give further arguments in support of the security of OAEP. We first show that partial instantiations, where one of the two random oracles used in OAEP is instantiated by a function family, can be provably secure (still in the random oracle model). For various security statements about OAEP we specify sufficient conditions for the instantiating function families that, in some cases, are realizable through standard cryptographic primitives and, in other cases, may currently not be known to be achievable but appear moderate and plausible. Furthermore, we give the first nontrivial security result about fully instantiated OAEP in the standard model, where both oracles are instantiated simultaneously. Namely, we show that instantiating both random oracles in OAEP by modest functions implies nonmalleability under chosen plaintext attacks for random messages. We also discuss the implications, especially of the full instantiation result, to the usage of OAEP for secure hybird encryption (as required in SSL/TLS, for example).