Results 1  10
of
42
New and improved constructions of nonmalleable cryptographic protocols
 In 37th Annual ACM Symposium on Theory of Computing
, 2005
"... We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions eith ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
(Show Context)
We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions either relied on the existence of trapdoor permutations and hash functions that are collision resistant against subexponential sized circuits, or required a superconstant number of rounds. Additional results are the first construction of a nonmalleable commitment scheme that is statistically hiding (with respect to opening), and the first nonmalleable commitments that satisfy a strict polynomialtime simulation requirement. Our approach differs from the approaches taken in previous works in that we view nonmalleable zeroknowledge as a buildingblock rather than an end goal. This gives rise to a modular construction of nonmalleable commitments and results in a somewhat simpler analysis.
Constantround concurrent zero knowledge from falsifiable assumptions
, 2012
"... We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly s ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali’s noninteractive CSproofs are sound for languages in P.
NonMalleability Amplification
 In 41st STOC
, 2009
"... We show a technique for amplifying commitment schemes that are nonmalleable with respect to identities of length t, into ones that are nonmalleable with respect to identities of length Ω(2 t), while only incurring a constant overhead in roundcomplexity. As a result we obtain a construction of O(1 ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
We show a technique for amplifying commitment schemes that are nonmalleable with respect to identities of length t, into ones that are nonmalleable with respect to identities of length Ω(2 t), while only incurring a constant overhead in roundcomplexity. As a result we obtain a construction of O(1) log ∗ nround (i.e., “essentially ” constantround) nonmalleable commitments from any oneway function, and using a blackbox proof of security.
Adaptive Hardness and Composable Security in the Plain Model from Standard Assumptions
"... Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permuta ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permutations. The notion of security fits within a generalization of the “angelbased” framework of Prabhakaran and Sahai (STOC’04) and implies superpolynomial time simulation security. Security notions of this kind are currently known to be realizable only under strong and specific hardness assumptions. A key element in our construction is a commitment scheme that satisfies a new and strong notion of security. The notion, security against chosencommitmentattacks (CCA security), means that security holds even if the attacker has access to a extraction oracle that gives the adversary decommitment information to commitments of the adversary’s choice. This notion is stronger than concurrent nonmalleability and is of independent interest. We construct CCAsecure commitments based on standard oneway functions, and with no trusted setup. To the best of our knowledge, this provides the first construction of a natural cryptographic primitive requiring adaptive hardness from standard hardness assumptions, using no trusted setup or public keys. Keywordscryptography; adaptive hardness; secure multiparty computation; composable security I.
Concurrent NonMalleable Zero Knowledge
 In Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science
, 2006
"... We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language inNP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol Π ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language inNP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol Π such that for every polynomialtime adversary that can adaptively and concurrently schedule polynomially many executions of Π, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomialtime simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier. Our security model is the traditional model for concurrent zero knowledge, where the statements to be proven by the honest provers are fixed in advance and do not depend on the previous history (but can be correlated with each other); corrupted provers, of course, can chose the statements adaptively. We also prove that there exists some functionality F (a combination of zero knowledge and oblivious transfer) such that it is impossible to obtain a concurrent nonmalleable protocol for F in this model. Previous impossibility results for composable protocols ruled out existence of protocols for a wider class of functionalities (including zero knowledge!) but only if these protocols were required to remain secure when executed concurrently with arbitrarily chosen different protocols (Lindell, FOCS 2003) or if these protocols were required to remain secure when the honest parties ’ inputs in each execution are chosen adaptively based on the results of previous executions
Constant Round NonMalleable Protocols using One Way Functions
"... We provide the first constant round constructions of nonmalleable commitment and zeroknowledge protocols based only one oneway functions. This improves upon several previous (incomparable) works which required either: (a) superconstant number of rounds, or, (b) nonstandard or subexponential ha ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
We provide the first constant round constructions of nonmalleable commitment and zeroknowledge protocols based only one oneway functions. This improves upon several previous (incomparable) works which required either: (a) superconstant number of rounds, or, (b) nonstandard or subexponential hardness assumptions, or, (c) nonblackbox simulation and collision resistant hash functions. These constructions also allow us to obtain the first constant round multiparty computation protocol by relying only on the existence of constant round oblivious transfer protocols. A simple modification of our commitment scheme gives a construction which makes use of the underlying oneway function in a blackbox way. The modified construction satisfies a slightly weaker (yet natural) notion of nonmalleability which still suffices to obtain a (fully) blackbox multiparty computation protocol. This allows us to obtain a constant round multiparty computation protocol making only a blackbox use of the standard cryptographic primitives with polynomialtime hardness. 0 1
Limits of Provable Security From Standard Assumptions
, 2011
"... We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing (i.e., blackbox) reduction. These results follow from a general result showing that Turing reductions cannot be used to prove security of constantround sequentially witnesshiding specialsound protocols for unique witness relations, based on standard assumptions; we emphasize that this result holds even if the protocol makes nonblackbox use of the
ConstantRound NonMalleable Commitments from Any OneWay Function
, 2011
"... We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the strong ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the stronger notions of concurrent nonmalleability and robustness. As a corollary, we establish that constantround nonmalleable zeroknowledge arguments for NP can be based on oneway functions and constantround secure multiparty computation can be based on enhanced trapdoor permutations; also here, earlier protocols additionally required either collisionresistant hash functions or subexponential oneway functions.
Constantround NonMalleable Commitment from Strong OneWay Functions
 In Crypto08, Springer LNCS 5157
, 2008
"... Abstract. We present a constantround nonmalleable commitment scheme based on the existence of subexponential oneway functions and using a blackbox proof of security. As far as we know, this is the first construction of a constantround nonmalleable protocol based on only onewayness, or to admi ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present a constantround nonmalleable commitment scheme based on the existence of subexponential oneway functions and using a blackbox proof of security. As far as we know, this is the first construction of a constantround nonmalleable protocol based on only onewayness, or to admit a blackbox proof of security under any standardtype assumption.
PasswordAuthenticated SessionKey Generation on the Internet in the Plain Model
"... The problem of passwordauthenticated key exchange (PAKE) has been extensively studied for the last two decades. Despite extensive studies, no construction was known for a PAKE protocol that is secure in the plain model in the setting of concurrent selfcomposition, where polynomially many protocol ..."
Abstract

Cited by 9 (6 self)
 Add to MetaCart
The problem of passwordauthenticated key exchange (PAKE) has been extensively studied for the last two decades. Despite extensive studies, no construction was known for a PAKE protocol that is secure in the plain model in the setting of concurrent selfcomposition, where polynomially many protocol sessions with the same password may be executed on the distributed network (such as the Internet) in an arbitrarily interleaved manner, and where the adversary may corrupt any number of participating parties. In this paper, we resolve this longstanding open problem. In particular, we give the first construction of a PAKE protocol that is secure (with respect to the standard definition of Goldreich and Lindell) in the fully concurrent setting and without requiring any trusted setup assumptions. We stress that we allow polynomiallymany concurrent sessions, where polynomial is not fixed in advance and can be determined by an adversary an an adaptive manner. Interestingly, our proof, among other things, requires important ideas from Precise Zero Knowledge theory recently developed by Micali and Pass in their STOC’06 paper.