Showing papers in "IACR Cryptology ePrint Archive in 1998"

A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols.

Abstract: We prcscnt a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols. The key element in our appronch io a modular treatment of the authentication problem in cryptographic protocols; thii applies to the definition of accurity, to the design of the protocols, and to their analysis. In particulnr, following this modular approach, we show how to systematically transform solutions that work in a model of idaalizcd authenticated communications into solutions that are secure in the realistic setting of communication channels controlled by an active adversary. Using these principles we construct and prove the security of simple and practical authentication and key-exchange protocols. In particular, we provide a security analysis of aomo well-known key exchange protocols (e.g. authenticated Dlfllc-Hcllman key exchange), and of some of the techniques underlying the design of several authentication protocols that are currently being deployed on a large scale for the Intornot Protocol and other applications.

Chameleon hashing and signatures

Abstract: A method for providing a digital signature, "chameleon signatures", which provide the signer of a digital signature exclusive control to disclose the contents of the signed information to third parties. The signatures are closely related to "undeniable signatures", but allow for simpler and more efficient realizations. The method is essentially non-interactive requiring no communication between sender and receiver and do not involve the design and complexity of zero knowledge proofs on which traditional undeniable signatures are based. The method employs a combination of standard digital signing methods with a unique hash functions. These hash functions are characterized by the non-standard property of being collision resistant for the signer but collision tractable for the recipient.

Comparing Entropies in Statistical Zero-Knowledge with Applications to the Structure of SZK.

Abstract: We consider the following (promise) problem, denoted ED (for Entropy Difference): The input is a pair of circuits, and YES instances (resp., NO instances) are such pairs in which the first (resp., second) circuit generates a distribution with noticeably higher entropy. On one hand we show that any language having a (honest-verifier) statistical zero-knowledge proof is Karp-reducible to ED. On the other hand, we present a public-coin (honest-verifier) statistical zero-knowledge proof for ED. Thus, we obtain an alternative proof of Okamoto's result by which HVSZK: (i.e., honest-verifier statistical zero knowledge) equals public-coin HVSZK. The new proof is much simpler than the original one. The above also yields a trivial proof that HVSZK: is closed under complementation (since ED easily reduces to its complement). Among the new results obtained is an equivalence of a weak notion of statistical zero knowledge to the standard one.

On the possibility of basing Cryptography on the assumption that P ≠ NP.

Abstract: Recent works by Ajtai and by Ajtai and Dwork bring to light the old (general) question of whether it is at all possible to base the security of cryptosystems on the assumption that P 6 = NP. We discuss this question and in particular review and extend a two-decade old result of Brassard regarding this question. Our conclusion is that the question remains open.

More on Proofs of Knowledge.

Abstract: The notion of proofs of knowledge is central to cryptographic protocols, and many deenitions for it have been proposed. In this work we explore a diierent facet of this notion, not addressed by prior deenitions. Speciically, prior deenitions concentrate on capturing the properties of the veriier, and do not pay much attention to the properties of the prover. Our new deenition is strictly stronger than previous ones, and captures new and desirable properties. In particular, it guarantees prover feasibility, that is, it guarantees that the time spent by the prover in a proof of knowledge is comparable to that it spends in an \extraction" of this knowledge. Our deenition also enables one to consider meaningfully the case of a single, speciic prover.

An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products.

Abstract: We present efficient zer~knowledge proof systems for quasisafe prime products and other related languages. Quasisafe primes are a relaxation of safe primes, a class of prime numbers useti in many cryptographic apphcations. More specifccdy we present the first simple and efficient zer~knowledge proof that an deged RSA modtius is of the correct form, i.e. the product of two primes. N previously known proof enforced ordy that the modtius was the product of two prime powers. We then present a zer~ knowledge proof that the primes composing the RSA moddus are quasi-safe. Our proof systems achieve higher security and better efficiency than ~ previously known ones. In partitiar, W our proof systems are perfect or statisticd zer~knowledge, meaning that even a comput ation~y unbounded adversary cannot extract any information from the proofs. Moreover, our proof systems are extremely efficient because they do not use general reductions to NP-complete problems, can be easfiy pardehzed preserving zer~knowledge, and are noninteractive for comput ationdy unbounded provers. The prover can rdso be efficiently implemented given some trap door information and using very Ettle interaction. We demonstrate the appEcabtity of quasi-safe primes by showing how they can be effectively used in the cent ext of RSA based undeniable signatures to enforce the use of keys of a certain format.

Randomness versus Fault-Tolerance.

Abstract: We investigate the relations between two major properties of multiparty protocols: fault tolerance (or resilience ) and randomness . Fault-tolerance is measured in terms of the maximum number of colluding faulty parties, t , that a protocol can withstand and still maintain the privacy of the inputs and the correctness of the outputs (of the honest parties). Randomness is measured in terms of the total number of random bits needed by the parties in order to execute the protocol. Previously, the upper bound on the amount of randomness required by general constructions for securely computing any nontrivial function f was polynomial both in n , the total number of parties, and the circuit-size C(f) . This was the state of knowledge even for the special case t=1 (i.e., when there is at most one faulty party). In this paper we show that for any linear-size circuit, and for any number t < n/3 of faulty

Quantum Computers Render Quantum Key Distribution Unconditionally Secure Over Arbitrarily Long Distances.

Abstract: Quantum cryptography has long been claimed to be useful for achieving many tasks that are impossible from the perspective of conventional cryptography. Arguably, the most important problem in quantum cryptography has been a rigorous proof of the security of quantum key distribution, the most wellknown application. This notoriously hard problem has eluded researchers for the last fifteen years and has become even more important after the recent surprising demonstration of the insecurity of many other quantum cryptographic schemes including quantum bit commitment. Here, we solve this long standing problem by showing that, given quantum computers, quantum key distribution over an arbitrarily long distance of a realistic noisy channel can be made unconditionally secure. The novel technique we use is reduction from a quantum scheme to a classical scheme. The security in realistic noisy environments is then proven by using the recent theory of fault-tolerant quantum

Secure Distributed Storage and Retrieval.

Abstract: In his well-known Information Dispersal Algorithm paper, Rabin showed a way to distribute information in n pieces among n servers in such a way that recovery of the information is possible in the presence of up to t inactive servers. An enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their pieces of the information, was later presented by Krawczyk. Yet, these methods assume that the malicious faults occur only at reconstruction time. In this paper we address the more general problem of secure storage and retrieval of information (SSRI), and guarantee that also the process of storing the information is correct even when some of the servers fail. Our protocols achieve this while maintaining the (asymptotical) space optimality of the above methods. We also consider SSRI with the added requirement of confidentiality, by which no party except for the rightful owner of the information is able to learn anything about it. This is achieved through novel applications of cryptographic techniques, such as the distributed generation of receipts, distributed key management via threshold cryptography, and “blinding”. An interesting byproduct of our scheme is the construction of a secret sharing scheme with shorter shares size in the amortized sense. An immediate practical application of our work is a system for the secure deposit of sensitive data. We also extend SSRI to a “proactive” setting, where an adversary may corrupt all the servers during the lifetime of the system, but only a fraction during any given time interval.

On Protocol Divertibility.

Abstract: In this paper, we establish the notion of divertibility as a protocol property as opposed to the existing notion as a language property (see Okamoto, Ohta [OO90]). We give a definition of protocol divertibility that applies to arbitrary 2-party protocols and is compatible with Okamoto and Ohta’s definition in the case of interactive zero-knowledge proofs. Other important examples falling under the new definition are blind signature protocols. A sufficient criterion for divertibility is presented and found to be satisfied by many examples of protocols in the literature. The generality of the definition can be further demonstrated by examples from protocol classes that have not been considered for divertibility before. For example, we show diverted Diffie-Hellman key exchange.

Making An Empty Promise With A Quantum Computer (Or, A Brief Review on the Impossibility of Quantum Bit Commitment).

Abstract: Alice has made a decision in her mind. While she does not want to reveal it to Bob at this moment, she would like to convince Bob that she is committed to this particular decision and that she cannot change it at a later time. Is there a way for Alice to get Bob's trust? Until recently, researchers had believed that the above task can be performed with the help of quantum mechanics. And the security of the quantum scheme lies on the uncertainty principle. Nevertheless, such optimism was recently shattered by Mayers and by us, who found that Alice can always change her mind if she has a quantum computer. Here, we survey this dramatic development and its implications on the security of other quantum cryptographic schemes. PACS numbers: 03.65.Bz, 89.70.+c, 89.80.+h