Jonathan Katz

Cryptographic protocol design in a two-party setting has often ignored the possibility of simultaneous message transmission by each of the two parties (i.e., using a duplex channel). In particular, most protocols for two-party key exchange have been designed assuming that parties alternate sending their messages (i.e., assuming a bidirectional half-duplex channel). However, by taking advantage of the communication characteristics of

A central focus of modern cryptography is the construction of ecien t, \high-level" cryptographic tools (e.g., encryption schemes) from weaker, \low-level" cryptographic primitives (e.g., one-way functions). Of interest are both the existence of such construc- tions, and also their eciency . Here, we show essentially-tight lower bounds on the best possible eciency that can be achieved by any black-box construction

... Rosario Gennaro IBM TJ Watson Research Center Yorktown Heights, NY rosario@watson.ibm. com ... To summa-rize, PRGs making “few” black-box oracle queries exist only if PRGs exist unconditionally (ie, without making any ora-cle calls) something we do not currently know ...

We describe efficient protocols for non-malleable (interac- tive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applica- tions of these protocols: - Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of

We present the design, security proof, and implementation of an anonymous subscription service. Users register for the service by providing some form of identity, which might or might not be linked to a real-world identity such as a credit card, a web login, or a public key. A user logs on to the system by presenting a credential derived from information received at registration. Each credential allows only a single login in any authentication window, or epoch. Logins are anonymous in the sense that the service cannot distinguish which user is logging in any better than random guessing. This implies unlinkability of a user across different logins. We find that a central tension in an anonymous subscription service is the service provider's desire for a long epoch (to reduce server-side computation) versus users' desire for a short epoch (so they can repeatedly "re-anonymize" their sessions). We balance this tension by having short epochs, but adding an efficient operation for clients who do not…

Ad-hoc networks — and in particular wireless mobile ad-hoc networks — have unique characteristics and con-straints that make traditional cryptographic mechanisms and assumptions inappropriate. In particular, it may not be warranted to assume pre-existing shared secrets ...

W e consider the round complexit y of m ulti-part y computation in the presence of a static adv ersary who con trols a majority of the parties. Here, n pla y ers wish to securely compute some functionalit y and up to n 1 of these pla y ers ma y b e arbitrarily malicious. Previous proto cols for

y (CS) as follows: CS = fC j C is a circuit, and 9 s.t. C( ) = 1g: Theorem 1 CS is NP-complete. Proof It is relatively easy to see that CS 2 NP. We show that CS is NP-complete by giving a Karp reduction from any L 2 NP to CS. Fix such an L, and let ML be a non-deterministic machine deciding L and running in time n c on inputs of size n. The idea is straightforward: let ML(x; w) denote an execution of ML with input x and making non-deterministic choices w. Note that x 2 L i there exists a w such that ML(x; w) = 1. (We further assume that w is padded, as necessary, so that there exists such a w with length exactly n c in this case.) Consider the deterministic, polynomial-time function ML;x : f0; 1g n c

Adaptively-secure encryption schemes ensure secrecy even in the presence of an adversary who can corrupt parties in an adaptive manner based on public keys, ciphertexts, and secret data of already- corrupted parties. Ideally, an adaptively-secure encryption scheme should, like standard public-key encryption, allow arbitrarily-many parties to use a single encryption key to securely encrypt arbitrarily-many messages to a given receiver who maintains only a single short decryption key. How- ever, it is known that these requirements are impossible to achieve: no non-interactive encryption scheme that supports encryption of an un- bounded number of messages and uses a single, unchanging decryption key can be adaptively secure. Impossibility holds even if secure data erasure is possible. We show that this limitation can be overcome by updating the decryption key over time and making some mild assumptions about the frequency of communication between parties. Using this approach, we constru...

We consider the central cryptographic task of secure two- party computation: two parties wish to compute some function of their private inputs (each receiving possibly different outputs) where security should hold with respect to arbitrarily-malicious behavior of either of the participants. Despite extensive research in this area, the exact round- complexity of this fundamental problem (i.e., the number of rounds re- quired to compute an arbitrary poly-time functionality) was not previ- ously known. Here, we establish the exact round complexity of secure two-party com- putation with respect to black-box proofs of security. We first show a lower bound establishing (unconditionally) that four rounds are not suf- ficient to securely compute the coin-tossing functionality for any super- logarithmic number of coins; this rules out 4-round protocols for other natural functionalities as well. Next, we construct protocols for securely computing any (randomized) functionality using only five...

Abstract A central focus of modern cryptography is the construction of efficient, “high-level” cryptographic tools (eg, encryption schemes) from weaker, “low-level” cryptographic primitives (eg, one-way functions). Of interest are both the existence of such construc-tions, and also their ...

We consider the problem of secret sharing among n ratio- nal players. This problem was introduced by Halpern and Teague (STOC 2004), who claim that a solution is impossible for n = 2 but show a solution for the case n 3. Counter to their claim, we show a simple protocol for the case of n = 2 players. Our protocol extends to the case n 3, where it is both simpler than the Halpern-Teague solution and also oers a number of other advantages. We also show how to avoid the continual involvement of the dealer, in either our own protocol or that of Halpern-Teague. Our techniques extend to the case of rational players try- ing to securely compute an arbitrary function, under certain assumptions on the utilities of the players.

Abstract. Predicate encryption is a new paradigm generalizing, among other things, identity-based encryption. In a predicate encryption scheme, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf corresponding to a predicate f can be ...

Constructions of cryptographic primitives based on general assumptions (e.g., one-way functions) tend to be less efficient than constructions based on specific (e.g., number-theoretic) assumptions. This has prompted a recent line of research aimed at investigating the best possible efficiency of (black-box) cryptographic constructions based on general assumptions. Here, we present bounds on the efficiency of statistically-binding commitment schemes constructed using black-box access to one-way permutations; our bounds are tight for the case of perfectly-binding schemes. Our bounds hold in an extension of the Impagliazzo–Rudich model: we show that any construction beating our bounds would imply the unconditional existence of a one-way function (from which a statistically-binding commitment scheme could be constructed “from scratch”).

We describe efficient protocols fornon-malleable (interac- tive) proofs of plaintext knowledge for the RSA, Rabin, Paillier, and El Gamal encryption schemes. We also highlight some important applica- tions of these protocols: - Chosen-ciphertext-secure, interactive encryption. In settings where both parties are on-line, an interactive encryption protocol may be used. We construct chosen-ciphertext-secure interactive encryption schemes based on any of the

Jonathan Katz Dept. of Computer Science University of Maryland College Park, MD jkatz@cs.umd.edu ... Nan Wang∗ Dept. of Computer Science University of Maryland College Park, MD nwang@cs.umd.edu ... ABSTRACT Much recent work has focused on ...

Understanding the security of encryption methods has been a major area of research in both modern and traditional cryptography. We investigate the relation between notions of security for symmetric (private) key encryption. The se-curity goals of both indistinguishability and ...

... by Rosario Gennaro1 Yael Gertner2 Jonathan Katz3 1 rosario@watson.ibm.com. ... [13] J. Kahn, M. Saks, and C. Smyth. A Dual Version of Reimer's Inequality and a Proof of Rudich's Conjecture. In Proceedings of the 15th IEEE Conference on Computational Complexity, 2000. ...

ABSTRACT We consider error-correcting codes where a bit of the mes-sage can be probabilistically recovered by looking at a lim-ited number of bits (or blocks of bits) of a (possibly) cor-rupted encoding. Such codes can be derived from multivari-ate polynomial encodings, and have ...

HB and HB+ are two shared-key, unidirectional authentication protocols whose extremely low computational cost makes them potentially well-suited for severely resource-constrained devices. Security of these protocols is based on the conjectured hardness of learning parity with noise; that is, learning a secret s given "noisy" dot products of s that are incorrect with probability ". Although the problem of learning parity with noise is meaningful for any constant " < 1/2, existing proofs of security for HB and HB+ only imply security when " < 1/4. In this note, we show how to extend these proofs to the case of arbitrary " < 1/2.

Motivated by the desire to develop more realistic models of, and protocols for, interactions between mutually distrusting parties, there has recently been signiflcant interest in combining the approaches and techniques of game theory with those of cryptographic protocol de- sign. Broadly speaking, two directions are currently being pursued: Applying cryptography to game theory: Certain game-theoretic equilibria are achievable if a