Results 1  10
of
29
Concurrent ZeroKnowledge
 IN 30TH STOC
, 1999
"... Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two proces ..."
Abstract

Cited by 177 (18 self)
 Add to MetaCart
Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will finish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist fourround almost concurrent zeroknowledge interactive proofs and perfect concurrent zeroknowledge arguments for every language in NP . We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model.
HMQV: A HighPerformance Secure DiffieHellman Protocol
 Protocol, Advances in Cryptology — CRYPTO ’05, LNCS 3621
, 2005
"... The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a ..."
Abstract

Cited by 167 (6 self)
 Add to MetaCart
The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#eHellman protocols that use publickey authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying "the next generation cryptography to protect US government information".
NonInteractive Anonymous Credentials
 AVAILABLE FROM THE IACR CRYPTOLOGY EPRINT ARCHIVE AS REPORT 2007/384.
, 2008
"... In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
In this paper, we introduce Psignatures. A Psignature scheme consists of a signature scheme, a commitment scheme, and (1) an interactive protocol for obtaining a signature on a committed value; (2) a noninteractive proof system for proving that the contents of a commitment has been signed; (3) a noninteractive proof system for proving that a pair of commitments are commitments to the same value. We give a definition of security for Psignatures and show how they can be realized under appropriate assumptions about groups with a bilinear map. We make extensive use of the powerful suite of noninteractive proof techniques due to Groth and Sahai. Our Psignatures enable, for the first time, the design of a practical noninteractive anonymous credential system whose security does not rely on the random oracle model. In addition, they may serve as a useful building block for other
Strengthening ZeroKnowledge Protocols using Signatures
 IN PROCEEDINGS OF EUROCRYPT ’03, LNCS SERIES
, 2003
"... Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper, ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper,
Deniable Ring Authentication
 In Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Si ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Signatures (see Rivest, Shamir and Tauman [38]). In this paper we show how to combine these notions and achieve Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad hoc subset of participants (a ring) is authenticating a message m without revealing which one (source hiding), and the verifier V cannot convince a third party that message m was indeed authenticated – there is no ‘paper trail ’ of the conversation, other than what could be produced by V alone, as in zeroknowledge. We provide an efficient protocol for deniable ring authentication based on any strong encryption scheme. That is once an entity has published a publickey of such an encryption system, it can be drafted to any such ring. There is no need for any other cryptographic primitive. The scheme can be extended to yield threshold authentication (e.g. at least k members of the ring are approving the message) as well. 1
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks (Extended Abstract)
 IN CRYPTO
, 2004
"... We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
(Show Context)
We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption.
Deniable Authentication and Key Exchange
 Proceedings of the 13th ACM conference on Computer and communications security. 400–409
, 2006
"... Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable keyexchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchan ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable keyexchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchange (IKE) protocol. The two protocols require distinct approaches to their deniability analysis, hence highlighting important definitional issues as well as necessitating different tools in the analysis. SKEME is an encryptionbased protocol for which we prove full deniability based on the plaintext awareness of the underlying encryption scheme. Interestingly SKEME’s deniability is possibly the first “natural ” application which essentially requires plaintext awareness (until now this notion has been mainly used as a tool for proving chosenciphertext security); in particular this use of plaintext awareness is not tied to the random oracle model. SIGMA, on the other hand, uses nonrepudiable signatures for authentication and hence cannot be proven to be fully deniable. Yet we are able to prove a weaker, but meaningful, “partial deniability ” property: a party may not be able to deny that it was “alive ” at some point in time but can fully deny the contents of its communications and the identity of its interlocutors. We remark that the deniability of SKEME and SIGMA holds in a concurrent setting and does not essentially rely on the random oracle model.
Extractable perfectly oneway functions
 ICALP, Track C
, 2008
"... Abstract. We propose a new cryptographic primitive, called extractable perfectly oneway (EPOW) functions. Like perfectly oneway (POW) functions, EPOW functions are probabilistic functions that reveal no information about their input, other than the ability to verify guesses. In addition, an EPOW f ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new cryptographic primitive, called extractable perfectly oneway (EPOW) functions. Like perfectly oneway (POW) functions, EPOW functions are probabilistic functions that reveal no information about their input, other than the ability to verify guesses. In addition, an EPOW function, f, guarantees that any party that manages to compute a value in the range of f “knows ” a corresponding preimage. We capture “knowledge of preimage ” by way of algorithmic extraction. We formulate two main variants of extractability, namely noninteractive and interactive. The noninteractive variant (i.e., the variant that requires noninteractive extraction) can be regarded as a generalization from specific knowledge assumptions to a notion that is formulated in general computational terms. Indeed, we show how to realize it under several different assumptions in the literature. The interactiveextraction variant can be realized from certain POW functions. We demonstrate the usefulness of the new primitive in two quite different settings. First, we show how EPOW functions can be used to capture, in the standard model, the “knowledge of queries ” property that is so useful in the Random Oracle (RO) model. Specifically, we show how to convert a class of CCA2secure encryption schemes in the RO model to concrete ones by simply replacing the Random Oracle with an EPOW function, without much change in the logic of the original proof. Second, we show how EPOW functions can be used to construct 3round ZK arguments of knowledge and membership, using weaker knowledge assumptions than the corresponding results due to Hada and Tanaka (Crypto 1998) and Lepinski (M.S. Thesis, 2004). This also opens the door for constructing 3round ZK arguments based on other assumptions sufficient for constructing EPOW functions. 1
New approaches for deniable authentication
 In Proceedings of the 12th ACM conference on Computer and communications security
, 2005
"... Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We present two new approaches to the problem of deniable authentication. The novelty o ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Deniable Authentication protocols allow a Sender to authenticate a message for a Receiver, in a way that the Receiver cannot convince a third party that such authentication (or any authentication) ever took place. We present two new approaches to the problem of deniable authentication. The novelty of our schemes is that they do not require the use of CCAsecure encryption (all previous known solutions did), thus showing a different generic approach to the problem of deniable authentication. These new approaches are practically relevant as they lead to more efficient protocols. In the process we point out a subtle definitional issue for deniability. In particular we propose the notion of forward deniability, which requires that the authentications remain deniable even if the Sender wants to later prove that she authenticated a message. We show that a simulationbased definition of deniability, where the simulation can be computationally indistinguishable from the real protocol does not imply forward deniability. Thus for deniability one needs to restrict the simulation to be perfect (or statistically close). Our new protocols satisfy this stricter requirement. 1