Results 1  10
of
363
Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
, 1995
"... We argue that the random oracle model  where all parties have access to a public random oracle  provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the ..."
Abstract

Cited by 1646 (70 self)
 Add to MetaCart
We argue that the random oracle model  where all parties have access to a public random oracle  provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol P R for the random oracle model, and then replacing oracle accesses by the computation of an "appropriately chosen" function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zeroknowledge proofs.
A hardcore predicate for all oneway functions
 In Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing
, 1989
"... Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardc ..."
Abstract

Cited by 440 (5 self)
 Add to MetaCart
Abstract rity of f. In fact, for inputs (to f*) of practical size, the pieces effected by f are so small A central tool in constructing pseudorandom that f can be inverted (and the “hardcore” generators, secure encryption functions, and bit computed) by exhaustive search. in other areas are “hardcore ” predicates b In this paper we show that every oneof functions (permutations) f, discovered in way function, padded to the form f(p,z) = [Blum Micali $21. Such b ( 5) cannot be effi (P,9(X)), llPl / = 11z//, has bY itself a hardcore ciently guessed (substantially better than SO predicate of the same (within a polynomial) 50) given only f(z). Both b, f are computable security. Namely, we prove a conjecture of in polynomial time. [Levin 87, sec. 5.6.21 that the sca1a.r product [Yao 821 transforms any oneway function of boolean vectors p, x is a hardcore of every f into a more complicated one, f*, which has oneway function f(p, x) = (p,g(x)). The rea hardcore predicate. The construction ap sult extends to multiple (up to the logarithm plies the original f to many small pieces of of security) such bits and to any distribution the input to f * just to get one “hardcore ” on the z’s for which f is hard to invert.
On the Importance of Checking Cryptographic Protocols for Faults
, 1997
"... We present a theoretical model for breaking various cryptographic schemes by taking advantage of random hardware faults. We show how to attack certain implementations of RSA and Rabin signatures. An implementation of RSA based on the Chinese Remainder Theorem can be broken using a single erroneous s ..."
Abstract

Cited by 405 (6 self)
 Add to MetaCart
(Show Context)
We present a theoretical model for breaking various cryptographic schemes by taking advantage of random hardware faults. We show how to attack certain implementations of RSA and Rabin signatures. An implementation of RSA based on the Chinese Remainder Theorem can be broken using a single erroneous signature. Other implementations can be broken using a larger number of erroneous signatures. We also analyze the vulnerability to hardware faults of two identification protocols: FiatShamir and Schnorr. The FiatShamir protocol can be broken after a small number of erroneous executions of the protocol. Schnorr's protocol can also be broken, but a larger number of erroneous executions is needed. Keywords: Hardware faults, Cryptanalysis, RSA, FiatShamir, Schnorr, Public key systems, Identification protocols. 1 Introduction Direct attacks on the famous RSA cryptosystem seem to require that one factor the modulus. Therefore, it is interesting to ask whether there are attacks that avoid this....
Cryptographic Limitations on Learning Boolean Formulae and Finite Automata
 PROCEEDINGS OF THE TWENTYFIRST ANNUAL ACM SYMPOSIUM ON THEORY OF COMPUTING
, 1989
"... In this paper we prove the intractability of learning several classes of Boolean functions in the distributionfree model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntact ..."
Abstract

Cited by 347 (14 self)
 Add to MetaCart
In this paper we prove the intractability of learning several classes of Boolean functions in the distributionfree model (also called the Probably Approximately Correct or PAC model) of learning from examples. These results are representation independent, in that they hold regardless of the syntactic form in which the learner chooses to represent its hypotheses. Our methods reduce the problems of cracking a number of wellknown publickey cryptosystems to the learning problems. We prove that a polynomialtime learning algorithm for Boolean formulae, deterministic finite automata or constantdepth threshold circuits would have dramatic consequences for cryptography and number theory: in particular, such an algorithm could be used to break the RSA cryptosystem, factor Blum integers (composite numbers equivalent to 3 modulo 4), and detect quadratic residues. The results hold even if the learning algorithm is only required to obtain a slight advantage in prediction over random guessing. The techniques used demonstrate an interesting duality between learning and cryptography. We also apply our results to obtain strong intractability results for approximating a generalization of graph coloring.
Publickey Cryptosystems Provably Secure against Chosen Ciphertext Attacks
 In Proc. of the 22nd STOC
, 1995
"... We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure ..."
Abstract

Cited by 284 (19 self)
 Add to MetaCart
(Show Context)
We show how to construct a publickey cryptosystem (as originally defined by Diffie and Hellman) secure against chosen ciphertext attacks, given a publickey cryptosystem secure against passive eavesdropping and a noninteractive zeroknowledge proof system in the shared string model. No such secure cryptosystems were known before. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 A preliminary version of this paper appeared in the Proc. of the Twenty Second ACM Symposium of Theory of Computing. y Incumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Work performed while at the IBM Almaden Research Center. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. Email: naor@wisdom.weizmann.ac.il. z IBM Research Division, T.J ...
A PublicKey Infrastructure for Key Distribution in TinyOS Based on Elliptic Curve Cryptography
"... We present the first known implementation of elliptic curve cryptography over F2p for sensor networks based on the 8bit, 7.3828MHz MICA2 mote. Through instrumentation of UC Berkeley’s TinySec module, we argue that, although secretkey cryptography has been tractable in this domain for some time, ..."
Abstract

Cited by 269 (4 self)
 Add to MetaCart
We present the first known implementation of elliptic curve cryptography over F2p for sensor networks based on the 8bit, 7.3828MHz MICA2 mote. Through instrumentation of UC Berkeley’s TinySec module, we argue that, although secretkey cryptography has been tractable in this domain for some time, there has remained a need for an efficient, secure mechanism for distribution of secret keys among nodes. Although publickey infrastructure has been thought impractical, we argue, through analysis of our own implementation for TinyOS of multiplication of points on elliptic curves, that publickey infrastructure is, in fact, viable for TinySec keys ’ distribution, even on the MICA2. We demonstrate that public keys can be generated within 34 seconds, and that shared secrets can be distributed among nodes in a sensor network within the same, using just over 1 kilobyte of SRAM and 34 kilobytes of ROM.
The NPcompleteness column: an ongoing guide
 JOURNAL OF ALGORITHMS
, 1987
"... This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book "Computers and Intractability: A Guide to the Theory of NPCompleteness," W. H. Freem ..."
Abstract

Cited by 239 (0 self)
 Add to MetaCart
This is the nineteenth edition of a (usually) quarterly column that covers new developments in the theory of NPcompleteness. The presentation is modeled on that used by M. R. Garey and myself in our book "Computers and Intractability: A Guide to the Theory of NPCompleteness," W. H. Freeman & Co., New York, 1979 (hereinafter referred to as "[G&J]"; previous columns will be referred to by their dates). A background equivalent to that provided by [G&J] is assumed, and, when appropriate, crossreferences will be given to that book and the list of problems (NPcomplete and harder) presented there. Readers who have results they would like mentioned (NPhardness, PSPACEhardness, polynomialtimesolvability, etc.) or open problems they would like publicized, should
Optimal Asymmetric Encryption – How to Encrypt with RSA
, 1995
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme ..."
Abstract

Cited by 224 (21 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. &quot; Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows &quot; the corresponding plaintextssuch ascheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
Secure Untrusted Data Repository (SUNDR)
"... We have implemented a secure network file system called SUNDR that guarantees the integrity of data even when malicious parties control the server. SUNDR splits storage functionality between two untrusted components, a block store and a consistency server. The block store holds all file data and mos ..."
Abstract

Cited by 185 (1 self)
 Add to MetaCart
We have implemented a secure network file system called SUNDR that guarantees the integrity of data even when malicious parties control the server. SUNDR splits storage functionality between two untrusted components, a block store and a consistency server. The block store holds all file data and most metadata. Without interpreting metadata, it presents a simple interface for clients to store variablesized data blocks and later retrieve them by cryptographic hash.
Digital Signatures for Flows and Multicasts
, 1999
"... We present chaining techniques for signing/verifying multiple packets using a single signing/verification operation. We then present flow signing and verification procedures based upon a tree chaining technique. Since a single signing/verification operation is amortized over many packets, these proc ..."
Abstract

Cited by 169 (2 self)
 Add to MetaCart
We present chaining techniques for signing/verifying multiple packets using a single signing/verification operation. We then present flow signing and verification procedures based upon a tree chaining technique. Since a single signing/verification operation is amortized over many packets, these procedures improve signing and verification rates by one to two orders of magnitude compared to the approach of signing/verifying packets individually. Our procedures do not depend upon reliable delivery of packets, provide delaybounded signing, and are thus suitable for delaysensitive flows and multicast applications. To further improve our procedures, we propose several extensions to the FeigeFiatShamir digital signature scheme to substantially speed up both the signing and verification operations, as well as to allow “adjustable and incremental ” verification. The extended scheme, called eFFS, is compared to four other digital signature schemes (RSA, DSA, ElGamal, Rabin). We compare their signing and verification times, as well as key and signature sizes. We observe that (i) eFFS is the fastest in signing (by a large margin over any of the other four schemes) and as fast as RSA in verification (tie for a close second behind Rabin), (ii) eFFS allows a tradeoff between memory and signing/verification time, and (iii) eFFS allows adjustable and incremental verification by receivers.