Results 1 
9 of
9
Reducing complexity assumptions for statisticallyhiding commitment
 In EUROCRYPT
, 2005
"... We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize one ..."
Abstract

Cited by 36 (8 self)
 Add to MetaCart
(Show Context)
We revisit the following question: what are the minimal assumptions needed to construct statisticallyhiding commitment schemes? Naor et al. show how to construct such schemes based on any oneway permutation. We improve upon this by showing a construction based on any approximable preimagesize oneway function. These are oneway functions for which it is possible to efficiently approximate the number of preimages of a given output. A special case is the class of regular oneway functions where all points in the image of the function have the same number of preimages. We also prove two additional results related to statisticallyhiding commitment. First, we prove a (folklore) parallel composition theorem showing, roughly speaking, that the statistical hiding property of any such commitment scheme is amplified exponentially when multiple independent parallel executions of the scheme are carried out. Second, we show a compiler which transforms any commitment scheme which is statistically hiding against an honestbutcurious receiver into one which is statistically hiding even against a malicious receiver. 1
Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins
 In Proc. Crypto ’04
, 2004
"... Abstract. Many cryptographic primitives begin with parameter generation, which picks a primitive from a family. Such generation can use public coins (e.g., in the discretelogarithmbased case) or secret coins (e.g., in the factoringbased case). We study the relationship between publiccoin and secr ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Many cryptographic primitives begin with parameter generation, which picks a primitive from a family. Such generation can use public coins (e.g., in the discretelogarithmbased case) or secret coins (e.g., in the factoringbased case). We study the relationship between publiccoin and secretcoin collisionresistant hash function families (CRHFs). Specifically, we demonstrate that: – there is a lack ofattention to the distinction between secretcoin and publiccoin definitions in the literature, which has led to some problems in the case ofCRHFs; – in some cases, publiccoin CRHFs can be built out ofsecretcoin CRHFs; – the distinction between the two notions is meaningful, because in general secretcoin CRHFs are unlikely to imply publiccoin CRHFs. The last statement above is our main result, which states that there is no blackbox reduction from publiccoin CRHFs to secretcoin CRHFs. Our prooffor this result, while employing oracle separations, uses a novel approach, which demonstrates that there is no blackbox reduction without demonstrating that there is no relativizing reduction.
Formalizing human ignorance: Collisionresistant hashing without the keys
 In Proc. Vietcrypt ’06
, 2006
"... Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just t ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
(Show Context)
Abstract. There is a foundational problem involving collisionresistant hashfunctions: common constructions are keyless, but formal definitions are keyed. The discrepancy stems from the fact that a function H: {0, 1} ∗ → {0, 1} n always admits an efficient collisionfinding algorithm, it’s just that us human beings might be unable to write the program down. We explain a simple way to sidestep this difficulty that avoids having to key our hash functions. The idea is to state theorems in a way that prescribes an explicitlygiven reduction, normally a blackbox one. We illustrate this approach using wellknown examples involving digital signatures, pseudorandom functions, and the MerkleDamg˚ard construction. Key words. Collisionfree hash function, Collisionintractable hash function, Collisionresistant hash function, Cryptographic hash function, Provable security. 1
The Classification of Hash Functions
, 1993
"... When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This e ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
When we ask what makes a hash function `good', we usually get an answer which includes collision freedom as the main (if not sole) desideratum. However, we show here that given any collisionfree function, we can derive others which are also collisionfree, but cryptographically useless. This explains why researchers have not managed to find many interesting consequences of this property. We also prove Okamoto's conjecture that correlation freedom is strictly stronger than collision freedom. We go on to show that there are actually rather many properties which hash functions may need. Hash functions for use with RSA must be multiplication free, in the sense that one cannot find X , Y and Z such that h(X)h(Y ) = h(Z); and more complex requirements hold for other signature schemes. Universal principles can be proposed from which all the freedom properties follow, but like most theoretical principles, they do not seem to give much value to a designer; at the practical level, the main imp...
Sufficient Conditions for CollisionResistant Hashing
 In Proceedings of the 2nd Theory of Cryptography Conference
, 2005
"... Abstract. We present several new constructions of collisionresistant hashfunctions (CRHFs) from general assumptions. We start with a simple construction of CRHF from any homomorphic encryption. Then, we strengthen this result by presenting constructions of CRHF from two other primitives that are i ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present several new constructions of collisionresistant hashfunctions (CRHFs) from general assumptions. We start with a simple construction of CRHF from any homomorphic encryption. Then, we strengthen this result by presenting constructions of CRHF from two other primitives that are implied by homomorphicencryption: oneround private information retrieval (PIR) protocols and homomorphic oneway commitments. Keywords. Collisionresistant hash functions, homomorphic encryption, private informationretrieval. 1 Introduction Collision resistant hashfunctions (CRHFs) are an important cryptographic primitive. Their applications range from classic ones such as the &quot;hashandsign &quot; paradigm for signatures, via efficient (zeroknowledge) arguments [14, 17, 2], tomore recent applications such as ones relying on the nonblackbox techniques of [1]. In light of the importance of the CRHF primitive, it is natural to study itsrelations with other primitives and try to construct it from the most general
Efficient Cryptographic Protocols Preventing “ManintheMiddle” Attacks
 COLUMBIA UNIVERSITY
, 2002
"... In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
(Show Context)
In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary inserts, deletes, or arbitrarily modifies messages sent from one user to another. Passive attacks are well characterized (the adversary’s choices are inherently limited) and techniques for achieving security against passive attacks are relatively well understood. Indeed, cryptographers have long focused on methods for countering passive eavesdropping attacks, and much work in the 1970’s and 1980’s has dealt with formalizing notions of security and providing provablysecure solutions for this setting. On the other hand, active attacks are not well characterized and precise modeling has been difficult. Few techniques exist for dealing with active attacks, and designing practical protocols secure against such attacks remains a challenge. This dissertation considers active attacks in a variety of settings and provides new, provablysecure protocols preventing such attacks. Proofs of security are in the standard cryptographic model and rely on wellknown cryptographic assumptions. The protocols presented here are efficient and
Efficient Consistency Proofs on a Committed Database
 In Automata, Languages and Programming: 31st International Colloquium, ICALP 2004
, 2003
"... A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and welldefined answer with respect to D.) Moreover, when a user makes a query, any ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
A consistent query protocol allows a database owner to publish a very short string c which commits her to a particular database D with special consistency property (i.e., given c, every allowable query has unique and welldefined answer with respect to D.) Moreover, when a user makes a query, any server hosting the database can answer the query, and provide a very short proof # that the answer is welldefined, unique, and consistent with c (and hence with D). One potential application of consistent query protocols is for guaranteeing the consistency of many replicated copies of Dthe owner can publish c, and users can verify the consistency of a query to some copy of D by making sure # is consistent with c. This strong guarantee holds even for owners who try to cheat, while creating c.
Universally Composable TimeStamping Schemes with Audit
 In ISC05, LNCS 3650
, 2005
"... We present a universally composable timestamping scheme based on universal oneway hash functions. ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
We present a universally composable timestamping scheme based on universal oneway hash functions.