Non-interactive and non-malleable commitment

Crescenzo, Giovanni Di; Ishai, Yuval; Ostrovsky, Rafail

doi:10.1145/276698.276722

Cited by 99 publications

(100 citation statements)

References 18 publications

Supporting

Mentioning

100

Contrasting

Order By: Relevance

“…We show that the notion of non-malleability used by Di Crescenzo et al [DIO98] is weaker than the one presented in [DDN00]. According to the definition of [DIO98], a scheme is non-malleable if the adversary cannot construct a commitment from a given one, such that after having seen the opening of the original commitment, the adversary is able to correctly open his commitment with a related message. But the definition of Dolev et al…”

Section: Introductionmentioning

confidence: 88%

“…While the straightforward solution of a standard proof of knowledge fails (because the adversary may in addition to the commitment also transform the proof of knowledge), we force the adversary to give his "own" proof of knowledge without being able to adapt the one of the original sender. Similar ideas have also been used in [DDN00,DIO98]. In our case, the proof of knowledge guarantees that the adversary already knows the message he has committed to.…”

Section: Introductionmentioning

confidence: 96%

“…While efficient non-malleable encryption schemes under various assumptions have appeared since then [BR93,BR94,CS98], as far as we know more efficient non-malleable commitment protocols are still missing. Di Crescenzo et al [DIO98] present a non-interactive and non-malleable commitment scheme based on any one-way function in the common random string model. Though being non-interactive, their system is rather theoretical as it excessively applies an ordinary commitment scheme to non-malleably commit to a single bit.…”

Section: Introductionmentioning

confidence: 99%

“…In this case, the adversary must also be able to open the modified commitment correctly given the decommitment of the original commitment. The scheme in [DDN00] achieves the stronger notion, whereas we do not know if the scheme in [DIO98] is also non-malleable with respect to commitment.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Efficient Non-malleable Commitment Schemes

Fischlin

2000

Advances in Cryptology — CRYPTO 2000

View full text Add to dashboard Cite

Abstract. We present efficient non-malleable commitment schemes based on standard assumptions such as RSA and Discrete-Log, and under the condition that the network provides publicly available RSA or Discrete-Log parameters generated by a trusted party. Our protocols require only three rounds and a few modular exponentiations. We also discuss the difference between the notion of non-malleable commitment schemes used by Dolev, Dwork and Naor [DDN00] and the one given by Di Crescenzo, Ishai and Ostrovsky [DIO98].

show abstract

Section: Introductionmentioning

confidence: 88%

Section: Introductionmentioning

confidence: 96%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficient Non-malleable Commitment Schemes

Fischlin

2000

Advances in Cryptology — CRYPTO 2000

View full text Add to dashboard Cite

show abstract

“…The starting point of this construction is "two-slot message length" technique from [22] underlying the recent constructions of constant-round non-malleable protocols in [24,25]. 5 The basic (and very much simplified) idea is to let the receiver sequentially send two challenges-one "long" and one "short"; the length of the challenges are determined by the identity of the sender. Intuitively, the protocol is designed to have the property that the response to a shorter challenge does not help an adversary to provide a response to a longer challenge.…”

Section: Our Techniquesmentioning

confidence: 99%

Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions

Pass

Wee

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Secure Communications over Insecure Channels Based on Short Authenticated Strings

Vaudenay

2005

Lecture Notes in Computer Science

170

172

View full text Add to dashboard Cite

Abstract. We propose a way to establish peer-to-peer authenticated communications over an insecure channel by using an extra channel which can authenticate very short strings, e.g. 15 bits. We call this SAS-based authentication as for authentication based on Short Authenticated Strings. The extra channel uses a weak notion of authentication in which strings cannot be forged nor modi£ed, but whose delivery can be maliciously stalled, canceled, or replayed. Our protocol is optimal and relies on an extractable or equivocable commitment scheme. This approach offers an alternative (or complement) to public-key infrastructures, since we no longer need any central authority, and to password-based authenticated key exchange, since we no longer need to establish a con£dential password. It can be used to establish secure associations in ad-hoc networks. Applications could be the authentication of a public key (e.g. for SSH or PGP) by users over the telephone, the user-aided pairing of wireless (e.g. Bluetooth) devices, or the restore of secure associations in a disaster case, namely when one remote peer had his long-term keys corrupted. On Building Secure CommunicationsOne of the key issue of modern cryptography is the problem of establishing a secure peer-to-peer communication over an insecure channel. Assuming that we can establish a private and authenticated key, standard tunneling techniques can achieve it. In the seminal work of Merkle [32] and Dif£e and Hellman [18], the private and authenticated key establishment problem was reduced to establishing a communication in which messages are authenticated. Public key cryptosystems such as RSA [39] further reduce to the establishment of an authenticated public key. Note that the seed authentication is also a limiting factor for quantum cryptography [10].Another major step was the notion of password-based authenticated key agreement which was £rst proposed by Bellovin and Merritt [8,9] and whose security was proven by Bellare, Pointcheval, and Rogaway [5] in the random oracle model. Another protocol, provably secure in the standard model, was proposed by Katz, Ostrovsky, and Yung [29]. Here, we assume that a private and authenticated short password was set up prior to the protocol. The key agreement protocol is such that no of¤ine dictionary attack is feasible against the password so that the threat model restricts to online passwordguessing attacks which are easily detectable. 1 When compared to the above approach, we thus reduce the size of the initial key, but we require its con£dentiality again.1 See Chapter 7 of [12] for a survey on password-based authenticated key agreement.

show abstract

Non-interactive and non-malleable commitment

Cited by 99 publications

References 18 publications

Efficient Non-malleable Commitment Schemes

Efficient Non-malleable Commitment Schemes

Constant-Round Non-malleable Commitments from Sub-exponential One-Way Functions

Secure Communications over Insecure Channels Based on Short Authenticated Strings

Contact Info

Product

Resources

About