Results 1  10
of
13
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the IEEE Symposium on Security and Privacy
, 2013
"... To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pi ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio’s verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker’s proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol. 1
On the Key Exposure Problem in Chameleon Hashes
 SCN: Security in Communication Networks, 4th International Conference, SpringerVerlag, LNCS(3352):165–179
, 2004
"... Chameleon signatures were introduced by Krawczyk and Rabin, being noninteractive signature schemes that provide nontransferability. However, that first construction employs a chameleon hash that suffers from a key exposure problem: The nontransferability property requires willingness of the re ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
Chameleon signatures were introduced by Krawczyk and Rabin, being noninteractive signature schemes that provide nontransferability. However, that first construction employs a chameleon hash that suffers from a key exposure problem: The nontransferability property requires willingness of the recipient in consequentially exposing a secret key, and therefore invalidating all signatures issued to the same recipient's public key. To address this keyrevocation issue, and its attending problems of key redistribution, storage of state information, and greater need for interaction, an identitybased scheme was proposed in [1], while a fully keyexposure free construction, based on the elliptic curves with pairings, appeared later in [7].
Concise Mercurial Vector Commitments and Independent ZeroKnowledge Sets with Short Proofs
"... Abstract. Introduced by Micali, Rabin and Kilian (MRK), the basic primitive of zeroknowledge sets (ZKS) allows a prover to commit to a secret set S so as to be able to prove statements such as x ∈ S or x ̸ ∈ S. Chase et al. showed that ZKS protocols are underlain by a cryptographic primitive termed ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. Introduced by Micali, Rabin and Kilian (MRK), the basic primitive of zeroknowledge sets (ZKS) allows a prover to commit to a secret set S so as to be able to prove statements such as x ∈ S or x ̸ ∈ S. Chase et al. showed that ZKS protocols are underlain by a cryptographic primitive termed mercurial commitment. A (trapdoor) mercurial commitment has two commitment procedures. At committing time, the committer can choose not to commit to a specific message and rather generate a dummy value which it will be able to softly open to any message without being able to completely open it. Hard commitments, on the other hand, can be hardly or softly opened to only one specific message. At Eurocrypt 2008, Catalano, Fiore and Messina (CFM) introduced an extension called trapdoor qmercurial commitment (qTMC), which allows committing to a vector of q messages. These qTMC schemes are interesting since their openings w.r.t. specific vector positions can be short (ideally, the opening length should not depend on q), which provides zeroknowledge sets with much shorter proofs when such a commitment is combined with a Merkle tree of arity q. The CFM construction notably features short proofs of nonmembership as it makes use of a qTMC scheme with short soft openings. A problem left open is that hard openings still have size O(q), which prevents proofs of membership from being as compact as those of nonmembership. In this paper, we solve this open problem and describe a new qTMC scheme where hard and soft positionwise openings, both, have constant size. We then show how our scheme is amenable to constructing independent zeroknowledge sets (i.e., ZKS schemes that prevent adversaries from correlating their set to the sets of honest provers, as defined by Gennaro and Micali). Our solution retains the short proof property for this important primitive as well. Keywords. Zeroknowledge databases, mercurial commitments, efficiency, independence. 1
New Approaches for Deniable Authentication
 IN EUROCRYPT ’99
, 2005
"... Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We point ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We point
Concurrently NonMalleable ZeroKnowledge in the Authenticated PublicKey Model. Cryptology ePrint Archive
, 2006
"... We consider a type of zeroknowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zeroknowledge arguments of knowledge that remain secure against concurrent maninthemiddle attacks. As negative results in the area of concurrent nonm ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We consider a type of zeroknowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zeroknowledge arguments of knowledge that remain secure against concurrent maninthemiddle attacks. As negative results in the area of concurrent nonmalleable zeroknowledge imply that protocols in the standard setting (i.e., under no setup assumptions) can only be given for trivial languages, researchers have studied such protocols in models with setup assumptions, such as the common reference string (CRS) model. This model assumes that a reference string is honestly created at the beginning of all interactions and later available to all parties (an assumption that is satisfied, for instance, in the presence of a trusted party). A growing area of research in Cryptography is that of reducing the setup assumptions under which certain cryptographic protocols can be realized. In an effort to reduce the setup assumptions required for efficient zeroknowledge arguments of knowledge that remain secure against concurrent maninthemiddle attacks, we consider a model, which we call the Authenticated PublicKey (APK) model. The APK model seems to significantly reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized algorithm are required), and can be seen as a slightly stronger variation of the Bare PublicKey (BPK) model from [8, 30], and a weaker variation of the registered publickey model used in [3]. We then define and study
On the Generic and Efficient Constructions of Secure Designated Confirmer Signatures
"... Abstract. For controlling the public verifiability of ordinary digital signatures, designated confirmer signature (DCS) schemes were introduced by Chaum at Eurocrypt 1994. In such schemes, a signature can be verified only with the help of a semitrusted third party, called the designated confirmer. ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. For controlling the public verifiability of ordinary digital signatures, designated confirmer signature (DCS) schemes were introduced by Chaum at Eurocrypt 1994. In such schemes, a signature can be verified only with the help of a semitrusted third party, called the designated confirmer. The confirmer can further selectively convert individual designated confirmer signatures into ordinary signatures so that anybody can check their validity. In the last decade, a number of DCS schemes have been proposed. However, most of those schemes are either inefficient or insecure. At Asiacrypt 2005, Gentry, Molnar and Ramzan presented a generic transformation to convert any signature scheme into a DCS scheme, and proved the scheme is secure in their security model. Their DCS scheme not only has efficient instantiations but also gets rid of both random oracles and general zeroknowledge proofs. In this paper, we first show that their DCS transformation does not meet the desired security requirements by identifying two security flaws. Then, we point out the reasons that cause those flaws and further propose a secure improvement to fix the flaws. Finally, we present a new generic and efficient DCS scheme without using any public key encryption and prove its security. To the best of our knowledge, this is the first secure DCS scheme that does not require public key encryption.
The power of identification schemes
 In Public Key Cryptography, LNCS 3958
, 2006
"... Abstract. In this paper, we show that identification schemes (IDschemes) are very powerful in some areas of cryptography. We first prove an equivalence between noninteractive trapdoor commitment schemes and a natural class of identification schemes. We next propose a more efficient online/offlin ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. In this paper, we show that identification schemes (IDschemes) are very powerful in some areas of cryptography. We first prove an equivalence between noninteractive trapdoor commitment schemes and a natural class of identification schemes. We next propose a more efficient online/offline signature transformation than ShamirTauman. As an application, we present a variant of BonehBoyen (BB) signature scheme which is not only online/offline but also has a smaller public key size than the original BB scheme. Finally, we present the first identitybased IDscheme which is secure against concurrent maninthemiddle attack without random oracles by using our variant of BB signature scheme.
An AbuseFree Optimistic Contract Signing Protocol with Multiple TTPs
"... Security services become crucial to many applications such as ecommerce payment protocols, electronic contract signing, and certified email delivery with the phenomenal growth of the Internet. For these applications fair exchange must be assured. A fair protocol allows two members participating in ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Security services become crucial to many applications such as ecommerce payment protocols, electronic contract signing, and certified email delivery with the phenomenal growth of the Internet. For these applications fair exchange must be assured. A fair protocol allows two members participating in a contract to exchange digital signatures over the Internet in a fair way, so that either each person gets the other’s signature, or neither person does. As more business is conducted over the Internet, the fairexchange problem is gaining greater importance. The property abusefreeness is necessary for contract signing. Abuse free means, if the protocol is not executed successfully, none of the two members involved in contract signing can show the validity of intermediate results to others. Here a contractsigning protocol in a multiple TTP scenario is described. This digital signature exchange protocol is optimistic, means the third trusted party (TTP) is involved only in the situations where one person is cheating or the communication channel is interrupted, i.e., TTP is offline.
New Receiptfree Voting Scheme Using Doubletrapdoor Commitment
"... Abstract. It is considered to be the most suitable solution for large scale elections to design an electronic voting scheme using blind signatures and anonymous channels. Based on this framework, Okamoto first proposed a receiptfree voting scheme [23] for large scale elections. However, in the foll ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. It is considered to be the most suitable solution for large scale elections to design an electronic voting scheme using blind signatures and anonymous channels. Based on this framework, Okamoto first proposed a receiptfree voting scheme [23] for large scale elections. However, in the following paper, Okamoto [24] proved that the scheme [23] is not receiptfree and presented two improved schemes. One scheme requires the help of the voting commission and the other needs a stronger physical assumption of the voting booth. In this paper, we utilize the doubletrapdoor commitment to propose a new receiptfree voting scheme based on blind signatures for large scale elections. Neither the voting commission nor the voting booth is required in the proposed scheme. We also present a more efficient zeroknowledge proof for secret permutation. Therefore, our scheme is more efficient than Okamoto’s schemes [23, 24] with the weaker physical assumptions. Moreover, we prove that our scheme achieve the desired security notations.
Appeared in TCC2010. Efficiency Preserving Transformations for Concurrent NonMalleable Zero Knowledge
"... Abstract. Ever since the invention of ZeroKnowledge by Goldwasser, Micali, and Rackoff [1], ZeroKnowledge has become a central building block in cryptography with numerous applications, ranging from electronic cash to digital signatures. The properties of ZeroKnowledge range from the most simple ..."
Abstract
 Add to MetaCart
Abstract. Ever since the invention of ZeroKnowledge by Goldwasser, Micali, and Rackoff [1], ZeroKnowledge has become a central building block in cryptography with numerous applications, ranging from electronic cash to digital signatures. The properties of ZeroKnowledge range from the most simple (and not particularly useful in practice) requirements, such as honestverifier zeroknowledge to the most demanding (and most useful in applications) such as nonmalleable and concurrent zeroknowledge. In this paper, we study the complexity of efficient zeroknowledge reductions, from the first type to the second type. More precisely, under a standard complexity assumption (ddh), on input a publiccoin honestverifier statistical zero knowledge argument of knowledge π ′ for a language L we show a compiler that produces an argument system π for L that is concurrent nonmalleable zeroknowledge (under nonadaptive inputs – which is the best one can hope to achieve [2, 3]). If κ is the security parameter, the overhead of our compiler is as follows: