Showing papers by "Moni Naor published in 2007"

Advances in Cryptology - EUROCRYPT 2007

Abstract: Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities.- Non-trivial Black-Box Combiners for Collision-Resistant Hash-Functions Don't Exist.- The Collision Intractability of MDC-2 in the Ideal-Cipher Model.- An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries.- Revisiting the Efficiency of Malicious Two-Party Computation.- Efficient Two-Party Secure Computation on Committed Inputs.- Universally Composable Multi-party Computation Using Tamper-Proof Hardware.- Generic and Practical Resettable Zero-Knowledge in the Bare Public-Key Model.- Instance-Dependent Verifiable Random Functions and Their Application to Simultaneous Resettability.- Conditional Computational Entropy, or Toward Separating Pseudoentropy from Compressibility.- Zero Knowledge and Soundness Are Symmetric.- Mesh Signatures.- The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks.- Batch Verification of Short Signatures.- Cryptanalysis of SFLASH with Slightly Modified Parameters.- Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy.- Secure Computation from Random Error Correcting Codes.- Round-Efficient Secure Computation in Point-to-Point Networks.- Atomic Secure Multi-party Multiplication with Low Communication.- Cryptanalysis of the Sidelnikov Cryptosystem.- Toward a Rigorous Variation of Coppersmith's Algorithm on Three Variables.- An L (1/3?+??) Algorithm for the Discrete Logarithm Problem for Low Degree Curves.- General Ad Hoc Encryption from Exponent Inversion IBE.- Non-interactive Proofs for Integer Multiplication.- Ate Pairing on Hyperelliptic Curves.- Ideal Multipartite Secret Sharing Schemes.- Non-wafer-Scale Sieving Hardware for the NFS: Another Attempt to Cope with 1024-Bit.- Divisible E-Cash Systems Can Be Truly Anonymous.- A Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security.- Range Extension for Weak PRFs The Good, the Bad, and the Ugly.- Feistel Networks Made Public, and Applications.- Oblivious-Transfer Amplification.- Simulatable Adaptive Oblivious Transfer.

Zaps and Their Applications

Abstract: A zap is a 2-round, public coin witness-indistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed “once and for all” and applied to any instance. We present a zap for every language in NP, based on the existence of noninteractive zero-knowledge proofs in the shared random string model. The zap is in the standard model and hence requires no common guaranteed random string. We present several applications for zaps, including 3-round concurrent zero-knowledge and 2-round concurrent deniable authentication, in the timing model of Dwork, Naor, and Sahai [J. ACM, 51 (2004), pp. 851-898], using moderately hard functions. We also characterize the existence of zaps in terms of a primitive called verifiable pseudorandom bit generators.

Split-ballot voting: everlasting privacy with distributed trust

Abstract: In this paper we propose a new voting protocol with desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserving ballot secrecy. The protocol has "everlasting privacy": even a computationally unbounded adversary gains no information about specific votes from observing the protocol's output. Unlike previous protocols with these properties, this protocol distributes trust between two authorities: a single corrupt authority will not cause voter privacy to be breached. Finally, the protocol is receipt-free: a voter cannot prove how she voted even she wants to do so. We formally prove the security of the protocol in the Universal Composability framework, based on number-theoretic assumptions.

Novel architectures for P2P applications: The continuous-discrete approach

Abstract: We propose a new approach for constructing P2P networks based on a dynamic decomposition of a continuous space into cells corresponding to servers. We demonstrate the power of this approach by suggesting two new P2P architectures and various algorithms for them. The first serves as a DHT (distributed hash table) and the other is a dynamic expander network. The DHT network, which we call Distance Halving, allows logarithmic routing and load while preserving constant degrees. It offers an optimal tradeoff between degree and path length in the sense that degree d guarantees a path length of O(logdn). Another advantage over previous constructions is its relative simplicity. A major new contribution of this construction is a dynamic caching technique that maintains low load and storage, even under the occurrence of hot spots. Our second construction builds a network that is guaranteed to be an expander. The resulting topologies are simple to maintain and implement. Their simplicity makes it easy to modify and add protocols. A small variation yields a DHT which is robust against random Byzantine faults. Finally we show that, using our approach, it is possible to construct any family of constant degree graphs in a dynamic environment, though with worse parameters. Therefore, we expect that more distributed data structures could be designed and implemented in a dynamic environment.

Cryptographic and physical zero-knowledge proof systems for solutions of sudoku puzzles

Abstract: We consider cryptographic and physical zero-knowledge proof schemes for Sudoku, a popular combinatorial puzzle. We discuss methods that allow one party, the prover, to convince another party, the verifier, that the prover has solved a Sudoku puzzle, without revealing the solution to the verifier. The question of interest is how a prover can show: (i) that there is a solution to the given puzzle, and (ii) that he knows the solution, while not giving away any information about the solution to the verifier. In this paper we consider several protocols that achieve these goals. Broadly speaking, the protocols are either cryptographic or physical. By a cryptographic protocol we mean one in the usual model found in the foundations of cryptography literature. In this model, two machines exchange messages, and the security of the protocol relies on computational hardness. By a physical protocol we mean one that is implementable by humans using common objects, and preferably without the aid of computers. In particular, our physical protocols utilize scratch-off cards, similar to those used in lotteries, or even just simple playing cards. The cryptographic protocols are direct and efficient, and do not involve a reduction to other problems. The physical protocols are meant to be understood by "lay-people" and implementablewithout the use of computers.

Deterministic history-independent strategies for storing information on write-once memories

Abstract: Motivated by the challenging task of designing "secure" vote storage mechanisms, we deal with information storage mechanisms that operate in extremely hostile environments. In such environments, the majority of existing techniques for information storage and for security are susceptible to powerful adversarial attacks. In this setting, we propose a mechanism for storing a set of at most K elements from a large universe of size N on write-once memories in a manner that does not reveal the insertion order of the elements. Whereas previously known constructions were either inefficient (required Θ(K2) memory), randomized, or employed cryptographic techniques which are unlikely to be available in hostile environments, we eliminate each of these undesirable properties. The total amount of memory used by the mechanism is linear in the number of stored elements and poly-logarithmic in the size of the universe of elements. In addition, we consider one of the classical distributed computing problems: Conflict resolution in multiple-access channels. By establishing a tight connection with the basic building block of our mechanism, we construct the first deterministic and non-adaptive conflict resolution algorithm whose running time is optimal up to poly-logarithmic factors.

NoN-Greedy Routing Algorithms Are Optimal or Know thy Neighbor’s Neighbor

Abstract: Greedy routing is a common approach when a graph has some underlying metric. We present an approach for designing routing algorithms called NoN-Greedy (Neighbor-of-Neighbor). We show that in two settings it reduces significantly the number of hops taken before the destination is reached and can yield degree optimal routing (in a network of degree O(log n) this means O(log / log logn) hops). In particular we consider the skip-graph peer-to-peer network and the small world settings and show that both models indeed permit degree optimal routing. The theoretic results are backed by simulations which show a significant improvement. While not being Greedy per-se, the NoN-Greedy algorithm preserves some good properties of greedy algorithms. Furthermore we show a lower bound proving that in order to reduce the number of hops, information regarding neighbors only is insufficient, thus the NoN approach is essential.

Implementing Huge Sparse Random Graphs

Abstract: Consider a scenario where one desires to simulate the execution of some graph algorithm on huge random G(N,p) graphs, where N= 2nvertices are fixed and each edge independently appears with probability p= p n . Sampling and storing these graphs is infeasible, yet Goldreich et al. [7], and Naor et al. [12] considered emulating dense G(N,p) graphs by efficiently computable `random looking' graphs. We emulate sparseG(N,p) graphs - including the densities of the G(N,p) threshold for containing a giant component (p~1 / N), and for achieving connectivity (pi¾? ~ln N/ N). The reasonable model for accessing sparse graphs is neighborhood queries where on query-vertex v, the entire neighbor-set Γ(v) is efficiently retrieved (without sequentially deciding adjacency for each vertex). Our emulation is faithful in the sense that our graphs are indistinguishable from G(N,p) graphs from the view of any efficient algorithm that inspects the graph by neighborhood queries of its choice. In particular, the G(N,p) degree sequence is sufficiently well approximated.

Deterministic History-Independent Strategies for Storing Information on Write-Once Memories.

Abstract: Motivated by the challenging task of designing “secure” vote storage mechanisms, we study information storage mechanisms that operate in extremely hostile environments. In such environments, the majority of existing techniques for information storage and for security are susceptible to powerful adversarial attacks. We propose a mechanism for storing a set of at most K elements from a large universe of size N on write-once memories in a manner that does not reveal the insertion order of the elements. We consider a standard model for write-once memories, in which the memory is initialized to the all 0’s state, and the only operation allowed is flipping bits from 0 to 1. Whereas previously known constructions were either inefficient (required Θ(K) memory), randomized, or employed cryptographic techniques which are unlikely to be available in hostile environments, we eliminate each of these undesirable properties. The total amount of memory used by the mechanism is linear in the number of stored elements and poly-logarithmic in the size of the universe of elements. We also demonstrate a connection between secure vote storage mechanisms and one of the classical distributed computing problems: conflict resolution in multiple-access channels. By establishing a tight connection with the basic building block of our mechanism, we construct the first deterministic and non-adaptive conflict resolution algorithm whose running time is optimal up to poly-logarithmic factors. A preliminary version of this work appeared in Proceedings of the 34th International Colloquium on Automata, Languages and Programming (ICALP), pages 303–315, 2007. ∗Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel. Email: {tal.moran,moni.naor,gil.segev}@weizmann.ac.il. Research supported in part by a grant from the Israel Science Foundation. †Incumbent of the Judith Kleeman Professorial Chair.