## Non-Malleable Cryptography (2000)

### Cached

### Download Links

Venue: | SIAM Journal on Computing |

Citations: | 470 - 22 self |

### BibTeX

@INPROCEEDINGS{Dolev00non-malleablecryptography,

author = {Danny Dolev and Cynthia Dwork and Moni Naor},

title = {Non-Malleable Cryptography},

booktitle = {SIAM Journal on Computing},

year = {2000},

pages = {542--552}

}

### Years of Citing Articles

### OpenURL

### Abstract

The notion of non-malleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext so that the respective plaintexts are related. The same concept makes sense in the contexts of string commitment and zero-knowledge proofs of possession of knowledge. Non-malleable schemes for each of these three problems are presented. The schemes do not assume a trusted center; a user need not know anything about the number or identity of other system users. Our cryptosystem is the first proven to be secure against a strong type of chosen ciphertext attack proposed by Rackoff and Simon, in which the attacker knows the ciphertext she wishes to break and can query the decryption oracle on any ciphertext other than the target.

### Citations

3152 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ... student who steals a test and can ask the professor any question, except the ones on the test. This is thesrst public key cryptosystem to be provably secure against such attacks. Indeed, (plain) RSA =-=[6-=-4] and the implementation of probabilistic encryption based on quadratic residuousity [43] are insecure against a chosen ciphertext postprocessing attack. Malleability, as dened in Section 2.2 species... |

1417 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...lti-party computation, and construct non-malleable protocols for these problems. 3. Simplify the constructions in this paper. Bellare and Rogaway present simplied constructions using a random oracle [=-=6, 7-=-]. A challenging open problem is to (dene and) construct a publicly computable pseudo-random function. Such a construction is essential if [6, 7] are to be made complexity-based. For a recent discussi... |

1230 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...leable Public Key Cryptography Goldwasser and Micali dene a cryptosystem to be semantically secure if anything computable about the cleartext from the ciphertext is computable without the ciphertext [=-=43]-=-. This powerful type of security may be insucient in the context of a distributed system, in which the mutual independence of messages sent by distinct parties often plays a critical role. For example... |

1205 | A logic of authentication
- Burrows, Abadi, et al.
- 1990
(Show Context)
Citation Context ... nonce N under KAB , and the protocol requires B to respond with the encryption under KAB of f(N ), where f is some simple function such as f(x) = x 1. The unproved and unstated assumption (see, e.g. =-=[16]-=-) is that seeing KAB (N) doesn't help an imposter falsely claiming to be B to compute KAB (f(N )). As we shall see, this is precisely the guarantee provided by non-malleability. Non-malleability is a ... |

1079 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...f (a; b) = 2 then zero-knowledge is not ensured, but other requirements may hold, depending on the protocol.) Two interesting examples of zero-knowledge interaction are proof of language membership [=-=44, 40]-=- and proofs of knowledge [31]. Both of these can be based on the existence of string commitment protocols. Non-Interactive Zero-Knowledge Proof Systems An important tool in the construction of our pub... |

750 | Construction of pseudo random generators from one-way functions
- Hastad, Impaglizzo, et al.
(Show Context)
Citation Context ...rmation about (r 0 ; f KAB (r 0 )) for any new r 0 and in particular they are unpredictable.) Since it is known that the existence of one-way functions implies the existence of pseudorandom functions =-=[37, 48]-=- we have Theorem 3.9 If one-way functions exist, then there are non-malleable private-key encryption schemes secure against chosen ciphertext attacks in the post-processing mode. Since it is known tha... |

662 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...30 describe a system that is semantically secure against a chosen ciphertext attack in the preprocessing mode: Treat KAB as (K 1 ; K 2 ) which will be used as seeds to a pseudo-random function f (see =-=[37-=-] for denition of pseudo-random functions, [56, 57] for recent constructions and [58] for a recent discussion on using pseudo-random functions for encryption and authentication). In order to encrypt m... |

528 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...s over the choice of e and the coinsips of F (which gets e as input), and each internal probability is taken the coinsips of T and the choice of r. For implementations of probabilistic encryption see =-=[2, 14, 39, 52, 66-=-]. In particular, such schemes can be constructed from any trapdoor permutation. When describing the security of a cryptosystem, one must dene what the attack is and what it means to break the system.... |

494 | Entity authentication and key distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...maining P i 's. For example, show that the adversary can'tsnd the bitwise logical-OR of the remaining pictures. This type of problem is simply ignored in papers on generating session keys (see, e.g., =-=[8, 9]-=-). If session keys are to be used for encryption, then the selective decryption 49 problem must be addressed. 7. Design a completely malleable cryptosystem in which, given E(x) and E(y) it is possible... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...omplexity-based. For a recent discussion on constructing such functions see [17, 18, 19]; note that none of the proposals there is sucient to yield non-malleability. 48 Very recently Cramer and Shoup =-=[23]-=- suggested an ecient construction of a nonmalleable cryptosystem secure against chosen ciphertext attacks in the postprocessing mode. The scheme is based on the Decisional Die-Hellman assumption (see ... |

469 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...arty B. Similar to a digital signature scheme, an authentication scheme can convince B that A is willing to 8 For a very recent discussion of the relationship between these notions see Bellare et al. =-=[3]-=-, where they show that there are indeedsve distinct possibilities. 28 authenticate m. However, unlike the case with digital signatures, an authentication scheme need not permit B to convince a third p... |

381 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...s over the choice of e and the coinsips of F (which gets e as input), and each internal probability is taken the coinsips of T and the choice of r. For implementations of probabilistic encryption see =-=[2, 14, 39, 52, 66-=-]. In particular, such schemes can be constructed from any trapdoor permutation. When describing the security of a cryptosystem, one must dene what the attack is and what it means to break the system.... |

357 |
Non-interactive zero knowledge proof of knowledge and chosen ciphertext attack", Crypto
- Racko, Simon
(Show Context)
Citation Context ...eable security are equivalent, which is not the case for weaker attacks. See Section 3.4.2. 2 research touching on this problem of which we are aware requires at least one of these assumptions (e.g., =-=[20, 21, 63]-=-). Non-Malleable String Commitment A second important scenario for non-malleability is string commitment. Let A and B run a string commitment protocol. Assume that A is non-faulty, and that A commits ... |

324 |
Zero knowledge proofs of identity
- Fiege, Fiat, et al.
- 1987
(Show Context)
Citation Context ..., we can convert any zeroknowledge interaction into a non-malleable one. In particular we obtain non-malleable zeroknowledge proofs of possession of knowledge, in the sense of Feige, Fiat, and Shamir =-=[31]. Zero-kn-=-owledge protocols [44, 40] may compose in an unexpectedly malleable fashion. A classic example is the so-called \man-in-the-middle" attack (also known as the \intruder-inthe -middle," \Maa s... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...esult by calling eminent Professor E and acting as a transparent prover. Any questions posed by Professor E to Professor B are relayed by 1 For more on existentially unforgeable signature schemes see =-=[27, 45, 60]-=-. 1 the latter to A, and A's answers to Professor B are then relayed in turn to Professor E. We solve this problem with a non-malleable zero-knowledge proof of knowledge. Researcher A will get proper ... |

260 | Public key cryptosystems provable secure against chosen ciphertext attacks", STOC '90
- Naor, Yung
(Show Context)
Citation Context ...ainst a public-key cryptosystem. The attacker can (trivially) see a ciphertext of any plaintext message (because she can use the public encryption key to encrypt). Chosen ciphertext in the sense of [=-=61]-=-, sometimes called lunch-break or lunch-time attacks in the literature; we prefer the term chosen ciphertext attack in the preprocessingsmode, abbreviated CCA-pre. Here, the adversary may access a dec... |

249 | Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS
- Bleichenbacher
(Show Context)
Citation Context ... to think about trying to break a candidate system is to think of trying to maul the target ciphertext(s). This was done (without the vocabulary of non-malleability) in the recent work Bleichenbacher =-=[11]-=- (see Section 6). 3.4.3 On Allowing A 0 to Choose M 0 Having A 0 choose M 0 , rather than inheriting M 0 = M from A, makes the adversary simulator weaker: the real adversary A is allowed to mount a ch... |

244 | Bit commitment using pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...ction 3. Our non-malleable scheme for string commitment requires as a building block a (possibly malleable) string commitment scheme. Such a scheme, based on pseudo-random generators, is presented in =-=[55]-=- (although any computational scheme will do). The protocol described there is interactive and requires two phases:srst the receiver sends a string and then the sender actually commits. However, thesrs... |

219 | Provably secure session key distributionâ€”the three party case
- BELLARE, ROGAWAY
- 1995
(Show Context)
Citation Context ...maining P i 's. For example, show that the adversary can'tsnd the bitwise logical-OR of the remaining pictures. This type of problem is simply ignored in papers on generating session keys (see, e.g., =-=[8, 9]-=-). If session keys are to be used for encryption, then the selective decryption 49 problem must be addressed. 7. Design a completely malleable cryptosystem in which, given E(x) and E(y) it is possible... |

216 | Optimal asymmetric encryption { How to encrypt with RSA
- Bellare, Rogaway
(Show Context)
Citation Context ...lti-party computation, and construct non-malleable protocols for these problems. 3. Simplify the constructions in this paper. Bellare and Rogaway present simplied constructions using a random oracle [=-=6, 7-=-]. A challenging open problem is to (dene and) construct a publicly computable pseudo-random function. Such a construction is essential if [6, 7] are to be made complexity-based. For a recent discussi... |

210 | A public-key cryptosystem with worst-case/average-case equivalence
- Ajtai, Dwork
- 1996
(Show Context)
Citation Context ...here the existence of the stronger kind of cryptosystems is not clear are the hardness of the Die-Hellman (search) problem and the unique shortest vector problem (used in the Ajtai-Dwork cryptosystem =-=[1-=-]). 3.4 Remarks 3.4.1 On Vectors of Encryptions 1. We have dened non-malleable public key encryptions to cover the case in which A produces a vector of encryptions (E(s1 ); : : : ; E(sn )), having bee... |

204 | One-way functions are necessary and sufficient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...s H such that for any x and a randomly chosen h 2R H the problem of finding y 6= x such that h(y) = h(x) is intractable. The family we need should compress from any polynomial in n bits to n bits. In =-=[64]-=- such families are constructed from any one-way function. Finally we need a one-time signature scheme, which consists of GS, the scheme generator that outputs F , the public-key of the signature schem... |

197 | Noninteractive zero-knowledge
- Blum, DeSantis, et al.
- 1991
(Show Context)
Citation Context ...of a string x in L n = L \ f0; 1g n , P sends a message p as a proof of membership. V decides whether to accept or to reject the proof. Non-interactive zero knowledge proof systems were introduced in =-=[12, 13]-=-. A non-interactive zero-knowledge scheme for proving membership in any language in NP which may be based on any trapdoor permutation is described in [32]. Recently, Kilian and Petrank [49, 50] found ... |

195 | On the composition of zero-knowledge proof systems
- Goldreich, Krawczyk
- 1996
(Show Context)
Citation Context ...w whether the protocol presented is indeed zero-knowledge in this sense, i.e., that the receiver could have simulated the conversation alone (although it is almost surely not black-box zero knowledge =-=[38]-=-). By adding a (malleable) proof of knowledge to the string r this can be ensured in the sequential case. We do not know if the resulting zero-knowledge authentication protocol remains zero-knowledge ... |

175 |
Multiple non-interactive zero knowledge proofs under general assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...nowledge proof systems were introduced in [12, 13]. A non-interactive zero-knowledge scheme for proving membership in any language in NP which may be based on any trapdoor permutation is described in =-=[32-=-]. Recently, Kilian and Petrank [49, 50] found more ecient implementations of such schemes. Their scheme is for the circuit satisability problem. Let k be a security parameter. Assuming a trapdoor per... |

172 | Concurrent zero knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...alleability. 3. For every " there exists A 0 running in time polynomial in n and " 1 such that j (A; R) 0 (A 0 ; R) js"; this is "-malleability, this time in analogy to "-kno=-=wledge ([42]; see also [29]-=-). Our public-key cryptosystem is strictly non-malleable. M. Fischlin and R. Fischlin have pointed out that we do not prove strict non-malleability in our commitment scheme; however, we prove both lib... |

171 | Randomized byzantine generals - Rabin - 1983 |

164 |
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ...dge interaction into a non-malleable one. In particular we obtain non-malleable zeroknowledge proofs of possession of knowledge, in the sense of Feige, Fiat, and Shamir [31]. Zero-knowledge protocols =-=[44, 40] may compose in an -=-unexpectedly malleable fashion. A classic example is the so-called \man-in-the-middle" attack (also known as the \intruder-inthe -middle," \Maa scam," and \chess-masters problem") ... |

152 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ... against a chosen ciphertext attack in the preprocessing mode: Treat KAB as (K 1 ; K 2 ) which will be used as seeds to a pseudo-random function f (see [37] for definition of pseudo-random functions, =-=[55, 56]-=- for recent constructions and [57] for a recent discussion on using pseudo-random functions for encryption and authentication). In order to encrypt messages which are n bits long we need a pseudorando... |

143 | Foundations of Cryptography (Fragments of a Book). Available at http://www.wisdom.weizmann.ac.il/home/oded/public_html/frag.html Exposure-Resilient Functions and All-or-Nothing Transforms 469
- Goldreich
(Show Context)
Citation Context ...put U; x; pg: The following is the denition of non-interactive proof systems of [12], modied to incorporate the tractability of P. The uniformity conditions of the system are adopted from Goldreich [3=-=5-=-]. Denition 2.5 A triple (P; V; U), where P is a probabilistic polynomial time machine, V is a polynomial time machine, and U is a polynomial time sampleable probability distribution is a non-interact... |

138 | A Lower Bound on the Time to Assure Interactive Consistency
- Fischer, Lynch
- 1982
(Show Context)
Citation Context ...non-malleability was inspired by early attempts to solve the distributed coinsipping problem. Although t +1 rounds are necessary for solving Byzantine agreement in the presence of t faulty processors =-=[33]-=-, in the presence of a global source of randomness the problem can be solved in constant expected time [62]. Thus, in the mid-1980's several attempts were made to construct a global coin by combining ... |

117 |
An efficient probabilistic public-key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1984
(Show Context)
Citation Context ...se becomes that M cannot find two messages (m 0 ; m 1 ) for which it can distinguish with polynomial advantage between encryptions of m 0 and m 1 . For implementations of probabilistic encryption see =-=[2, 14, 39, 51, 65]-=-. In particular, such schemes can be constructed from any trapdoor permutation. When describing the security of a cryptosystem, one must define what the attack is and what it means to break the system... |

117 | Definitions and Properties of Zero-Knowledge Proof Systems
- Goldreich, Oren
- 1994
(Show Context)
Citation Context ...execution corresponding to the (A 0 ; B 0 ) interaction is carried out. Note that the three stage protocol described above remains zero-knowledge. This is true, since under the appropriate definition =-=[41]-=-, the sequential composition of zero-knowledge protocols is itself zero-knowledge. So in particular, the (A; B) interaction is zero-knowledge. Non-malleable zero-knowledge security is proved as follow... |

113 | Towards realizing random oracles: hash functions that hide all partial information
- Canetti
(Show Context)
Citation Context ...ne and) construct a publicly computable pseudo-random function. Such a construction is essential if [6, 7] are to be made complexity-based. For a recent discussion on constructing such functions see [=-=17, 18, 19]-=-; note that none of the proposals there is sucient to yield non-malleability. 48 Very recently Cramer and Shoup [23] suggested an ecient construction of a nonmalleable cryptosystem secure against chos... |

79 |
Algorithms for black-box fields and their application to cryptography
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...y malleable then it is insecure. A related statement holds for discrete logarithms modulosp, and in general for the black box field problem. See the elegant papers of Maurer [52] and Boneh and Lipton =-=[15]-=-. Acknowledgments Discussions with Moti Yung on achieving independence started this research. Advice and criticism from Russell Impagliazzo, Charlie Rackoff and Dan Simon were critical in the formatio... |

78 | Perfectly one-way probabilistic hash functions
- Canetti, Micciancio, et al.
- 1997
(Show Context)
Citation Context ...ne and) construct a publicly computable pseudo-random function. Such a construction is essential if [6, 7] are to be made complexity-based. For a recent discussion on constructing such functions see [=-=17, 18, 19]-=-; note that none of the proposals there is sucient to yield non-malleability. 48 Very recently Cramer and Shoup [23] suggested an ecient construction of a nonmalleable cryptosystem secure against chos... |

76 | Resettable Zero-Knowledge - Canetti, Goldreich, et al. - 2000 |

70 | Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ... cryptosystem is completely malleable then it is insecure. A related statement holds for discrete logarithms modulosp, and in general for the black box field problem. See the elegant papers of Maurer =-=[52]-=- and Boneh and Lipton [15]. Acknowledgments Discussions with Moti Yung on achieving independence started this research. Advice and criticism from Russell Impagliazzo, Charlie Rackoff and Dan Simon wer... |

64 | Efficient and Non-interactive Non-malleable Commitments
- Crescenzo, Katz, et al.
(Show Context)
Citation Context ...sed on the Decisional Die-Hellman assumption (see [57] for a discussion of the assumption) and requires only a few modular exponentiations for encryption and decryption. Recently, Di Crecsenzo et al. =-=[26]-=- showed that in a model in which there is a common random string shared by all parties, it it possible to obtain a non-interactive weaker variant of non-malleable commitments. Recall that, informally,... |

56 |
Non-Interactive Zero-Knowledge Proof Systems
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...of a string x in L n = L \ f0; 1g n , P sends a message p as a proof of membership. V decides whether to accept or to reject the proof. Non-interactive zero knowledge proof systems were introduced in =-=[12, 13]-=-. A non-interactive zero-knowledge scheme for proving membership in any language in NP which may be based on any trapdoor permutation is described in [32]. Recently, Kilian and Petrank [49, 50] found ... |

46 | An efficient existentially unforgeable signature scheme and its applications
- Dwork, Naor
- 1994
(Show Context)
Citation Context ...esult by calling eminent Professor E and acting as a transparent prover. Any questions posed by Professor E to Professor B are relayed by 1 For more on existentially unforgeable signature schemes see =-=[27, 44, 59]-=-. the latter to A, and A's answers to Professor B are then relayed in turn to Professor E. We solve this problem with a non-malleable zero-knowledge proof of knowledge. Researcher A will get proper cr... |

45 |
How to sign given any trapdoor function
- Bellare, Micali
- 1988
(Show Context)
Citation Context ... that anyone knowing F can verify the signature and no one who does not know the private key P can generate a valid signature on any message except the one signed. For exact denition and history see [=-=5, 45, 60]-=-. 3.2 The Non-Malleable Public-Key Encryption Scheme We are now ready to present the scheme S. Key generation. 1. Run GP (1 n ), the probabilistic encryption key generator, 2n times. Denote the output... |

43 |
The Random Oracle Methodology
- Canetti, Goldreich, et al.
(Show Context)
Citation Context ...ne and) construct a publicly computable pseudo-random function. Such a construction is essential if [6, 7] are to be made complexity-based. For a recent discussion on constructing such functions see [=-=17, 18, 19]-=-; note that none of the proposals there is sucient to yield non-malleability. 48 Very recently Cramer and Shoup [23] suggested an ecient construction of a nonmalleable cryptosystem secure against chos... |

42 | Synthesizers and their application to the parallel construction of pseudo-random functions - Naor, Reingold |

39 |
Number theoretic constructions of ecient pseudo random functions
- Naor, Reingold
(Show Context)
Citation Context ...e against a chosen ciphertext attack in the preprocessing mode: Treat KAB as (K 1 ; K 2 ) which will be used as seeds to a pseudo-random function f (see [37] for denition of pseudo-random functions, [=-=56, 57]-=- for recent constructions and [58] for a recent discussion on using pseudo-random functions for encryption and authentication). In order to encrypt messages which are n bits long we need a pseudorando... |

38 | New generation of secure and practical RSA-based signatures
- Cramer, Damgaard
- 1996
(Show Context)
Citation Context ...sage encrypted with E ij is indeed signed with the correspondingsp j . Note that the sender may use a one-time signature scheme for (s j ; p j ) and if the receiver uses a signature scheme such as in =-=[27, 22-=-], then the approach is relatively ecient. 32 4 A Non-Malleable Scheme for String Commitment We present below a scheme S for string commitment that is non-malleable with respect to itself (Denition 2.... |

37 | Access control and Signatures via quorum secret sharing
- Naor, Wool
- 1996
(Show Context)
Citation Context ...hertext (in addition to the plaintext). The following problem, phrased here in terms of a CD-ROM, is a concrete instance in which this kind of attack is relevant (the version presented here is due to =-=[59]-=-, and is a variant of a problem posed by O. Goldreich): A CD-ROM is generated containing the encryptions of 100 images (generally, n images). A user, having a copy of the CD-ROM, chooses any subset, s... |

36 |
One-way functions are necessary and suÂ±cient for secure signatures
- Rompel
- 1990
(Show Context)
Citation Context ...ons H such that for any x and a randomly chosen h 2R H the problem ofsnding y 6= x such that h(y) = h(x) is intractable. The family we need should compress from any polynomial in n bits to n bits. In =-=[65]-=- such families are constructed from any one-way function. Finally we need a one-time signature scheme, which consists of GS, the scheme generator that outputs F , the public-key of the signature schem... |

29 | A formal treatment of remotely keyed encryption
- Blaze, Feigenbaum, et al.
- 1998
(Show Context)
Citation Context ...but not self-validating, since the adversary can create ciphertexts of random messages. For a recent application of the above construction to the security of remotely-keyed encryption see Blaze et al =-=[10]-=-. Interactive Encryption 31 The second setting resembles the one studied by Goldwasser, Micali, and Tong [46], in which they constructed an interactive public key cryptosystem secure against chosen ci... |

29 |
Why and how to establish a private code on a public network," 23rd FOCS
- Goldwasser, Micali, et al.
- 1982
(Show Context)
Citation Context ...ion of the above construction to the security of remotely-keyed encryption see Blaze et al [10]. Interactive Encryption 31 The second setting resembles the one studied by Goldwasser, Micali, and Tong =-=[46], in -=-which they constructed an interactive public key cryptosystem secure against chosen ciphertext attack (see also [34, 67]). An \interactive public key cryptosystem" requires a publicsle storing in... |