## Identification protocols secure against reset attacks (2001)

### Cached

### Download Links

Venue: | Adv. in Cryptology — Eurocrypt 2001, LNCS |

Citations: | 28 - 4 self |

### BibTeX

@INPROCEEDINGS{Bellare01identificationprotocols,

author = {Mihir Bellare and Marc Fischlin and Shafi Goldwasser and Silvio Micali},

title = {Identification protocols secure against reset attacks},

booktitle = {Adv. in Cryptology — Eurocrypt 2001, LNCS},

year = {2001},

pages = {495--511},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We provide identi£cation protocols that are secure even when the adversary can reset the internal state and/or randomization source of the user identifying itself, and when executed in an asynchronous environment like the Internet that gives the adversary concurrent access to instances of the user. These protocols are suitable for use by devices (like smartcards) which when under adversary control may not be able to reliably maintain their internal state between invocations. 1

### Citations

1041 | Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Rackoff
- 1989
(Show Context)
Citation Context ...o-knowledge type property such as being witness hiding [12], is a secure identification protocol in the smartcard model [11]. A simple instance is the zero-knowledge proof of quadratic residuosity of =-=[15]-=-. The prover’s public key consists of a composite integer N and a quadratic residue u ∈ Z ∗ N . The corresponding secret key is a square root s ∈ Z ∗ N of u. The prover proves that it “knows” a square... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ign random documents of Bob’s choice. This is known (folklore) to yield a secure identi£cation scheme in the serial non-reset setting of [11] as long as the signature scheme is secure in the sense of =-=[16]-=-. It is also known to be secure in the concurrent non-reset setting [1]. But it fails in general to be secure in the resettable setting because an adversary can obtain signatures of different messages... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...if c = 0 and rs mod N if c = 1. The verifier checks that a2 ≡ yuc mod N. (This atomic protocol has an error probability of 1/2, which can be lowered by sequential repetition. The Fiat-Shamir protocol =-=[13]-=- can be viewed as a parallelized variant of this protocol.) Now suppose the adversary is able to mount reset attacks on the prover. It can run the prover to get y, feed it challenge 0, and get back a ... |

628 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...elies on the techniques introduced in [8] and utilizes pseudorandom functions and trapdoor commitments. It applies to most of the popular identi£cation schemes, like Fiat-Shamir [13], Okamoto-Schnorr =-=[20, 18]-=- or Okamoto-GuillouQuisquater [17, 18]. ZK PROOF OF MEMBERSHIP BASED IDENTIFICATION. In the zero-knowledge proofs of membership paradigm, Alice convinces Bob she is Alice, by being “able to” prove mem... |

464 | Entity authentication and key distribution. CRYPTO’93, LNCS. 773
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ... may play the role of verifier and interact with the prover, trying to learn something about sk, before making its impersonation attempt. In the model of “Internet” based identification considered by =-=[6, 1, 5]-=-, the adversary is allowed to interact concurrently with many different prover “instances” as well as with the verifier. Formal notions of security corresponding to these settings have been provided i... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack - Cramer, Shoup - 1998 |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...cr1 ID,I (k) — Execution of protocol ID with adversary I and security parameter k in the CR1 setting Initialization: (1) (pk, sk) ← ID(keygen, k) / Pick keys via randomized key generation algorithm / =-=(2)-=- Choose tape RV for verifier at random ; CV ← 0 / Coins and message counter for verifier / (3) p ← 0 / Number of active prover instances / Execute adversary I on input pk and reply to its oracle queri... |

450 | Non-Malleable Cryptography - Dolev, Dwork, et al. - 2000 |

339 | Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack - Rackoff, Simon - 1992 |

313 | Universal one-way hash functions and their cryptographic applications - Naor, Yung - 1989 |

312 | Authenticated key exchange secure against dictionary attacks
- Bellare, Pointcheval, et al.
(Show Context)
Citation Context ... may play the role of verifier and interact with the prover, trying to learn something about sk, before making its impersonation attempt. In the model of “Internet” based identification considered by =-=[6, 1, 5]-=-, the adversary is allowed to interact concurrently with many different prover “instances” as well as with the verifier. Formal notions of security corresponding to these settings have been provided i... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ... get the verifier to accept it as the owner of the public key pk. Towards this goal, it is allowed various types of attacks on the prover. In the model of smartcard based identification considered by =-=[11]-=-, the adversary may play the role of verifier and interact with the prover, trying to learn something about sk, before making its impersonation attempt. In the model of “Internet” based identification... |

302 |
Minimum Disclosure Proofs of Knowledge
- Brassard, Crepeau
- 1988
(Show Context)
Citation Context ...t knowing the secret a commitment is still solidly binding. Trapdoor commitment schemes exist under standard assumptions like the intractability of the discrete-log or the RSA or factoring assumption =-=[7]-=- and thus under the same assumptions that the aforementioned CID-identification protocols rely on. Basically, a trapdoor commitment enables us to reduce an intrusion try of an impersonator I in the de... |

252 | Public-Key Cryptosystems Provably Secure Against Chosen Ciphertext Attacks - Naor, Yung - 1990 |

224 | A modular approach to the design and analysis of authentication and key-exchange protocols
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ... may play the role of verifier and interact with the prover, trying to learn something about sk, before making its impersonation attempt. In the model of “Internet” based identification considered by =-=[6, 1, 5]-=-, the adversary is allowed to interact concurrently with many different prover “instances” as well as with the verifier. Formal notions of security corresponding to these settings have been provided i... |

168 | Witness indistinguishable and witness hiding protocols - Feige, Shamir - 1990 |

159 | Concurrent Zero-Knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...ify that the novel feature of our work is the consideration of reset attacks for identification. However our settings are de£ned in such a way that the traditional concurrent attacks as considered by =-=[6, 10]-=- and others are incorporated, so that security against these attacks is achieved by our protocols. 1.3 Four paradigms for identification secure against reset attack As we explained above, the standard... |

150 | Signature schemes based on the strong RSA assumption - Cramer, Shoup - 1999 |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...elies on the techniques introduced in [8] and utilizes pseudorandom functions and trapdoor commitments. It applies to most of the popular identi£cation schemes, like Fiat-Shamir [13], Okamoto-Schnorr =-=[20, 18]-=- or Okamoto-GuillouQuisquater [17, 18]. ZK PROOF OF MEMBERSHIP BASED IDENTIFICATION. In the zero-knowledge proofs of membership paradigm, Alice convinces Bob she is Alice, by being “able to” prove mem... |

140 | On Defining Proofs of Knowledge
- Bellare, Goldreich
- 1992
(Show Context)
Citation Context ...2j−1) with 1 ≤ 2j − 1 ≤ m(k) (1) CV ← CV +2 (2) If 2j < CV then Return ⊥ / Not allowed to reset the verifier / (3) If 2j−1 < m(k)−1then MSG2j ← ID(vfmsg, pk, MSG1� · · · �MSG2j−1; RV ) ; Return MSG2j =-=(4)-=- If 2j−1=m(k)then decision ← ID(vfend, pk, MSG1� · · · �MSG2j; RV ) (5) Return decision Did I win? When I has terminated set WINI = true if decision = accept. Fig. 2. Experiment describing execution o... |

121 | Secure hash-and-sign signatures without the random oracle - Gennaro, Halevi, et al. - 1999 |

74 | Resettable Zero-Knowledge
- Canetti, Goldreich, et al.
- 2000
(Show Context)
Citation Context ...r Bellare et al. will towards its goal of impersonating the prover. The question of the security of identi£cation protocols under reset attacks was raised by Canetti, Goldreich, Goldwasser and Micali =-=[8]-=-, who considered the same issue in the context of zero-knowledge proofs. 1.1 The power of reset attacks AN EXAMPLE. Let us illustrate the power of reset attacks with an example. A popular paradigm for... |

45 | An efficient existentially unforgeable signature scheme and its applications - Dwork, Naor |

40 | Fast Signature Generation with a Fiat-Shamir-Like Scheme. Eurocrypt ’90
- Ong, Schnorr
(Show Context)
Citation Context ...et Attacks 505 engaging in a verification. In addition to the Fiat-Shamir system [13], most of the wellknown practical identification schemes also achieve this security level, for example Ong-Schnorr =-=[19, 21]-=- for some system parameters, Okamoto-Guillou-Quisquater [17, 18] and Okamoto-Schnorr [20, 18]. Nonetheless, there are also protocols which are only known to be secure against sequential attacks (e.g. ... |

36 | New generation of secure and practical rsa-based signatures - Cramer, Damg˚ard - 1996 |

33 | How to sign given any trapdoor permutation - Bellare, Micali - 1992 |

24 | The knowledge complexity ofinteractive proofs - Goldwasser, Micali, et al. - 1989 |

20 | On the security of a practical identification scheme
- Shoup
- 1999
(Show Context)
Citation Context ... for some system parameters, Okamoto-Guillou-Quisquater [17, 18] and Okamoto-Schnorr [20, 18]. Nonetheless, there are also protocols which are only known to be secure against sequential attacks (e.g. =-=[22]-=-). To avoid confusion with the derived scheme ID, instead of writing Send(prvmsg, . . .) and Send(vfmsg, . . .), we denote the algorithms generating the commitment, challenge and response message for ... |

9 | An e cient existentially unforgeable signature scheme and its applications - Dwork, Naor - 1994 |

3 | How toproveyourself: practical solutions to identi cation and signature problems - Fiat, Shamir - 1986 |

2 | Non-malleable cryptography", TR CS95-27, Weizmann Institute. Preliminary version - Dolev, Dwork, et al. - 1991 |

1 |
Security of 2 t -Root Identi£cation and Signatures
- SCHNORR
- 1996
(Show Context)
Citation Context ...et Attacks 505 engaging in a verification. In addition to the Fiat-Shamir system [13], most of the wellknown practical identification schemes also achieve this security level, for example Ong-Schnorr =-=[19, 21]-=- for some system parameters, Okamoto-Guillou-Quisquater [17, 18] and Okamoto-Schnorr [20, 18]. Nonetheless, there are also protocols which are only known to be secure against sequential attacks (e.g. ... |

1 | Public-key encryption in a multi-mser Setting: Security proofs and improvements - Bellare, Boldyreva, et al. - 2000 |

1 | Damg ard, "New generation of secure and practical RSA-based signatures - Cramer, I - 1996 |