## Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications (Extended Abstract) (2002)

### Cached

### Download Links

- [www.cs.umd.edu]
- [eprint.iacr.org]
- [eprint.iacr.org]
- [www.mathmagic.cn]
- [www.iacr.org]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656 |

Citations: | 28 - 1 self |

### BibTeX

@INPROCEEDINGS{Katz02efficientand,

author = {Jonathan Katz},

title = {Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications (Extended Abstract)},

booktitle = {Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656},

year = {2002},

pages = {211--228},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

We describe efficient protocols for non-malleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols: -- Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semantically-secure scheme...

### Citations

2925 | A method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir, et al. - 1983 |

631 | Public-key cryptosystems based on composite degree residuosity classes - Paillier - 1999 |

626 | Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 - Canetti - 2013 |

463 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack - Cramer, Shoup - 1998 |

450 | Non-malleable cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...ciphertext-secure (IND-CCA2) public-key encryption schemes [31,35], password-based authentication and key exchange (password-AKE) protocols in the public-key model [28,5], and deniable authentication =-=[15,17]-=-. ⋆ The full version of this work appears in [29]. ⋆⋆ (Work done while at Columbia University) E. Biham (Ed.): EUROCRYPT 2003, LNCS 2656, pp. 211–228, 2003. c○ International Association for Cryptologi... |

340 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...d, either to the receiver – in case the receiver does not have sk – or to an eavesdropper. As we show here, PPKs have applications to chosen-ciphertext-secure (IND-CCA2) public-key encryption schemes =-=[31,35]-=-, password-based authentication and key exchange (password-AKE) protocols in the public-key model [28,5], and deniable authentication [15,17]. ⋆ The full version of this work appears in [29]. ⋆⋆ (Work... |

316 | A public key cryptosystem and a signature scheme based on discrete logarithms - Gamal - 1985 |

312 | Zero-Knowledge Proofs of Identity - Feige, Fiat, et al. - 1988 |

312 |
Efficient identification and signatures for smart cards
- Schnorr
- 1989
(Show Context)
Citation Context ...ossible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal [34,36,33,19] encryption schemes, the well-known Σprotocols [7] for these schemes (e.g., =-=[32,26,8,38]-=-) may be adapted to give PPKs, although modifications are needed to ensure security against a cheating verifier. For the applications listed above, however, these solutions are not sufficient; the fol... |

289 |
Digitalized Signatures and Public Key Functions as Intractable as Factoring
- Rabin
- 1979
(Show Context)
Citation Context ...owledge (ZK) proofs of knowledge [20,25,3]; similarly [21,12], non-interactive PPKs are possible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal =-=[34,36,33,19]-=- encryption schemes, the well-known Σprotocols [7] for these schemes (e.g., [32,26,8,38]) may be adapted to give PPKs, although modifications are needed to ensure security against a cheating verifier.... |

275 | Foundations of Cryptography: Basic Tools - Goldreich - 2001 |

253 | Public key cryptosystems provably secure against chosen ciphertext attacks - Naor, Yung - 1990 |

200 | A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory - Guillou, Quisquater - 1988 |

191 | Non-interactive zero-knowledge - Blum, Santis, et al. - 1991 |

170 | Multiple noninteractive zero knowledge proofs under general assumptions - Feige, Lapidot, et al. - 1999 |

161 | Concurrent zero-knowledge - Dwork, Naor, et al. - 1998 |

156 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security - Sahai - 1999 |

143 | On defining proofs of knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...OCRYPT 2003, LNCS 2656, pp. 211–228, 2003. c○ International Association for Cryptologic Research 2003s212 J. Katz Of course, PPKs may be achieved using generic zero-knowledge (ZK) proofs of knowledge =-=[20,25,3]-=-; similarly [21,12], non-interactive PPKs are possible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal [34,36,33,19] encryption schemes, the well... |

141 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption - Cramer, Shoup - 2002 |

115 | Multiparty computation from threshold homomorphic encryption - Cramer, Damg˚ard, et al. - 2001 |

113 |
An efficient probabilistic public-key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1984
(Show Context)
Citation Context ...duplicate the value α used by the simulator, so that α ′ �= α. Details follow in the remainder of this section. The PPK we describe here will be for the following encryption scheme for ℓ-bit messages =-=[4]-=-, which is semantically-secure under the RSA assumption: The modulus N is chosen as a product of two random k/2-bit primes, and e is a prime number such that |e| = O(k). 6 The public key is (N,e). Let... |

105 | Public-key cryptography and password protocols
- Halevi, Krawczyk
- 1999
(Show Context)
Citation Context ...ly a small overhead beyond the original, semantically-secure scheme. – Password-based authenticated key exchange. We derive efficient protocols for password-based key exchange in the public-key model =-=[28, 5]-=- whose security may be based on any of the cryptosystems mentioned above. – Deniable authentication. Our techniques give the first efficient constructions of deniable authentication protocols based on... |

70 | Constant-Round Coin-Tossing With a Man in the Middle or Realizing the Shared Random String Model - Barak - 2002 |

61 |
Zero-knowledge proofs of knowledge without interaction
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...6, pp. 211–228, 2003. c○ International Association for Cryptologic Research 2003s212 J. Katz Of course, PPKs may be achieved using generic zero-knowledge (ZK) proofs of knowledge [20,25,3]; similarly =-=[21,12]-=-, non-interactive PPKs are possible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal [34,36,33,19] encryption schemes, the well-known Σprotocols [... |

59 | Efficient and Non-Interactive Non-Malleable Commitments - Crescenzo, Katz, et al. - 2001 |

54 | Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints - Dwork, Sahai - 1998 |

49 | Modular Design of Secure, yet Practical Cryptographic Protocols - Cramer - 1996 |

42 | Zaps and their applications - Dwork, Naor - 2000 |

40 | Fast Signature Generation with a Fiat-Shamir-Like Scheme. Eurocrypt ’90 - Ong, Schnorr |

31 | Public-key cryptography and password protocols: The multi-user case - Boyarsky |

31 | Deniable Ring Authentication - Naor |

25 | Proofs that Yield Nothing but their Validity - Goldreich, Micali, et al. - 1991 |

21 | Concurrent Oblivious Transfer - Garay, MacKenzie - 2000 |

14 |
Multi-Party Cryptographic Computation: Techniques and Applications
- Haber
- 1988
(Show Context)
Citation Context ... efficient constructions of interactive IND-CCA2 encryption schemes based on (potentially weaker) computational assumptions. Interactive encryption schemes based on PPKs have been proposed previously =-=[22,27,24]-=-; these, however, achieve only non-adaptive CCA1 security. Interactive encryption was also considered by [15], who give a generic and relatively efficient IND-CCA2 scheme. This scheme requires a signa... |

13 | Efficient Cryptographic Protocols Preventing “Man-in-the-Middle” Attacks
- Katz
- 2002
(Show Context)
Citation Context ...chemes [31,35], password-based authentication and key exchange (password-AKE) protocols in the public-key model [28,5], and deniable authentication [15,17]. ⋆ The full version of this work appears in =-=[29]-=-. ⋆⋆ (Work done while at Columbia University) E. Biham (Ed.): EUROCRYPT 2003, LNCS 2656, pp. 211–228, 2003. c○ International Association for Cryptologic Research 2003s212 J. Katz Of course, PPKs may b... |

9 | Symmetric Public-Key Encryption - Galil, Haber, et al. - 1986 |

2 |
A Proof of Plaintext Knowledge Protocol and Applications
- Aumann, Rabin
- 2001
(Show Context)
Citation Context ...aints to ensure the security of our protocols when they are run in a concurrent, asynchronous environment. 1.2 Related Work Proofs of plaintext knowledge are explicitly considered by Aumann and Rabin =-=[1]-=-, who provide an elegant solution for any public-key encryption scheme. Our solutions improve upon theirs in many respects: (1) by working with specific, number-theoretic assumptions we obtain simple,... |

1 | On Defining Proofs of Knowledge. Advances in Cryptology --- Crypto '92 - Bellare, Goldreich - 1992 |

1 | on Information and System Security 2(3): 230--268 - Katz - 1999 |