## Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications (Extended Abstract) (2002)

### Cached

### Download Links

- [www.cs.umd.edu]
- [eprint.iacr.org]
- [eprint.iacr.org]
- [www.mathmagic.cn]
- [www.iacr.org]
- [www.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656 |

Citations: | 29 - 1 self |

### BibTeX

@INPROCEEDINGS{Katz02efficientand,

author = {Jonathan Katz},

title = {Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications (Extended Abstract)},

booktitle = {Advances in Cryptology – proc. of EUROCRYPT ’03, LNCS 2656},

year = {2002},

pages = {211--228},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

We describe efficient protocols for non-malleable (interactive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applications of these protocols: -- Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of the schemes above. In each case, the improved scheme requires only a small overhead beyond the original, semantically-secure scheme...

### Citations

3188 | A method for obtaining digital signatures and public-key cryptosystems - Rivest, Shamir, et al. - 1977 |

705 | Public-Key Cryptosystems Based on Composite Degree Residuocity Classes - Paillier - 1999 |

670 | Universally composable security: A new paradigm for cryptographic protocols - Canetti - 2001 |

482 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack - Cramer, Shoup - 1998 |

473 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...ciphertext-secure (IND-CCA2) public-key encryption schemes [31,35], password-based authentication and key exchange (password-AKE) protocols in the public-key model [28,5], and deniable authentication =-=[15,17]-=-. ⋆ The full version of this work appears in [29]. ⋆⋆ (Work done while at Columbia University) E. Biham (Ed.): EUROCRYPT 2003, LNCS 2656, pp. 211–228, 2003. c○ International Association for Cryptologi... |

360 |
Non-interactive zeroknowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ...d, either to the receiver – in case the receiver does not have sk – or to an eavesdropper. As we show here, PPKs have applications to chosen-ciphertext-secure (IND-CCA2) public-key encryption schemes =-=[31,35]-=-, password-based authentication and key exchange (password-AKE) protocols in the public-key model [28,5], and deniable authentication [15,17]. ⋆ The full version of this work appears in [29]. ⋆⋆ (Work... |

332 | A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms - Gamal - 1985 |

326 | Zero knowledge proofs of identity - Feige, Fiat, et al. - 1988 |

324 |
Efficient Identification and Signatures for Smart Cards
- Schnorr
- 1990
(Show Context)
Citation Context ...ossible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal [34,36,33,19] encryption schemes, the well-known Σprotocols [7] for these schemes (e.g., =-=[32,26,8,38]-=-) may be adapted to give PPKs, although modifications are needed to ensure security against a cheating verifier. For the applications listed above, however, these solutions are not sufficient; the fol... |

307 |
Digitalized signatures and public-key functions as intractable as factorization
- Rabin
- 1979
(Show Context)
Citation Context ...owledge (ZK) proofs of knowledge [20,25,3]; similarly [21,12], non-interactive PPKs are possible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal =-=[34,36,33,19]-=- encryption schemes, the well-known Σprotocols [7] for these schemes (e.g., [32,26,8,38]) may be adapted to give PPKs, although modifications are needed to ensure security against a cheating verifier.... |

279 | Foundations of Cryptography: Basic Tools - Goldreich - 2001 |

262 | Public-key cryptosystems provably secure against chosen ciphertext attacks - Naor, Yung - 1990 |

208 | A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory - Guillou, Quisquater - 1988 |

199 | Non-Interactive Zero-Knowledge - Blum, Santis, et al. - 1991 |

176 | Multiple non-interactive zero knowledge proofs based on a single random string - Feige, Lapidot, et al. - 1990 |

173 | Concurrent zero-knowledge - Dwork, Naor, et al. - 2004 |

162 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security - Sahai - 1999 |

151 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...OCRYPT 2003, LNCS 2656, pp. 211–228, 2003. c○ International Association for Cryptologic Research 2003s212 J. Katz Of course, PPKs may be achieved using generic zero-knowledge (ZK) proofs of knowledge =-=[20,25,3]-=-; similarly [21,12], non-interactive PPKs are possible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal [34,36,33,19] encryption schemes, the well... |

149 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public key encryption. Cryptology ePrint Archive, Report 2001/085 - Cramer, Shoup - 2001 |

133 | Multiparty computation from threshold homomorphic encryption - Cramer, Damgård, et al. - 2001 |

118 |
An efficient probabilistic public-key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1985
(Show Context)
Citation Context ...duplicate the value α used by the simulator, so that α ′ �= α. Details follow in the remainder of this section. The PPK we describe here will be for the following encryption scheme for ℓ-bit messages =-=[4]-=-, which is semantically-secure under the RSA assumption: The modulus N is chosen as a product of two random k/2-bit primes, and e is a prime number such that |e| = O(k). 6 The public key is (N,e). Let... |

113 | Public-key cryptography and password protocols
- Halevi, Krawczyk
- 1999
(Show Context)
Citation Context ...ly a small overhead beyond the original, semantically-secure scheme. – Password-based authenticated key exchange. We derive efficient protocols for password-based key exchange in the public-key model =-=[28, 5]-=- whose security may be based on any of the cryptosystems mentioned above. – Deniable authentication. Our techniques give the first efficient constructions of deniable authentication protocols based on... |

73 | Constant-round coin-tossing with a man in the middle or realizing the shared random string model - Barak |

68 |
Zero-knowledge proofs of knowledge without interaction
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...6, pp. 211–228, 2003. c○ International Association for Cryptologic Research 2003s212 J. Katz Of course, PPKs may be achieved using generic zero-knowledge (ZK) proofs of knowledge [20,25,3]; similarly =-=[21,12]-=-, non-interactive PPKs are possible assuming appropriate public parameters are included with pk. For the Rabin, RSA, Paillier, or El-Gamal [34,36,33,19] encryption schemes, the well-known Σprotocols [... |

65 | Non-interactive and non-malleable commitment - Crescenzo, Ishai, et al. - 1998 |

54 | Concurrent Zero-Knowledge: Reducing the Need for Timing Constraints - Dwork, Sahai - 1998 |

52 | Modular Design of Secure yet Practical Cryptographic Protocols - Cramer - 1997 |

43 | Zaps and their applications - Dwork, Naor - 2000 |

41 | Fast signature generation with a Fiat Shamir-like scheme,” EUROCRYPT’90 - Ong, Schnorr - 1990 |

33 | Public-key Cryptography and Password Protocols: The Multi-User Case - Boyarsky - 1999 |

31 | Deniable Ring Authentication - Naor - 2002 |

26 | Proofs that Yield Nothing but their Validity - Goldreich, Micali, et al. - 1988 |

20 | Concurrent oblivious transfer - Garay, MacKenzie - 2000 |

14 |
Multi-Party Cryptographic Computations: Techniques and Applications
- Haber
- 1987
(Show Context)
Citation Context ... efficient constructions of interactive IND-CCA2 encryption schemes based on (potentially weaker) computational assumptions. Interactive encryption schemes based on PPKs have been proposed previously =-=[22,27,24]-=-; these, however, achieve only non-adaptive CCA1 security. Interactive encryption was also considered by [15], who give a generic and relatively efficient IND-CCA2 scheme. This scheme requires a signa... |

13 | Efficient Cryptographic Protocols Preventing Man in the Middle Attacks, Doctoral Dissertation submitted at
- Katz
- 2002
(Show Context)
Citation Context ...chemes [31,35], password-based authentication and key exchange (password-AKE) protocols in the public-key model [28,5], and deniable authentication [15,17]. ⋆ The full version of this work appears in =-=[29]-=-. ⋆⋆ (Work done while at Columbia University) E. Biham (Ed.): EUROCRYPT 2003, LNCS 2656, pp. 211–228, 2003. c○ International Association for Cryptologic Research 2003s212 J. Katz Of course, PPKs may b... |

10 | Symmetric public-key encryption - Galil, Haber, et al. |

2 |
A Proof of Plaintext Knowledge Protocol and Applications
- Aumann, Rabin
- 2001
(Show Context)
Citation Context ...aints to ensure the security of our protocols when they are run in a concurrent, asynchronous environment. 1.2 Related Work Proofs of plaintext knowledge are explicitly considered by Aumann and Rabin =-=[1]-=-, who provide an elegant solution for any public-key encryption scheme. Our solutions improve upon theirs in many respects: (1) by working with specific, number-theoretic assumptions we obtain simple,... |

1 | On Defining Proofs of Knowledge. Advances in Cryptology --- Crypto '92 - Bellare, Goldreich - 1992 |

1 | on Information and System Security 2(3): 230--268 - Katz - 1999 |