Moti Yung

Advances in Cryptology - EUROCRYPT 2004

We present, implement and apply a new privacy primitive that we call “Traceable Signatures.” To this end we develop the underlying mathematical and proto col t ols, present the concepts and the underlying security model, and then realize the scheme a nd its security proof. Traceable signatures support an extended set of fairness mechanisms (mec hanisms for anonymity management and revocation) when compared with the traditional group si gnature mechanism. We demonstrate that this extended function is needed for proper operation a nd adequate level of privacy in various settings and applications. For example, the new notion allo ws (distributed) tracing of all signatures by a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implement ed by a state of the art group signature system, such wide opening of all signatures of a single user i s a (centralized) operation that requires the opening ofall anonymous signatures and revealing the users associated wi th them, an act that violates the privacy of all users. Our work includes a novel modeling of security in privacy sys tems that leads to simulationbased proofs. Security notions in privacy systems are typic ally more complex than the traditional security of cryptographic systems, thus our modeling metho dology may find future applications in other settings. To allow efficient implementation of our s cheme we develop a number of basic tools, zero-knowledge proofs, protocols, and primitives t hat we use extensively throughout. These novel mechanisms work directly over a group of unknown order , contributing to the efficiency and modularity of our design, and may be of independent inter es . The interactive version of our signature scheme yields the notion of “traceable (anonymou s) identification.” Computer Science and Eng. Dept., University of Connecticut, Storrs, C T, USA,aggelos@cse.uconn.edu. Etolian Capital, New York, NY, USA, yiannist@etolian.com. Research supported in part by NIST under grant SB1341-02-W-1113 Computer Science Dept., Columbia University, NY, USA moti@cs.columbia.edu

Universal one-way hash functions and their cryptographic applications

We define a Universal One-Way Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x. We prove constructively that universal one-way hash functions exist if any 1-1 one-way functions exist. Among the various applications of the primitive is a One-Way based Secure Digital Signature Scheme, a system which is based on the existence of any 1-1 One-Way Functions and is secure against the most general attack known. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor one-way functions exist.

Public-key cryptosystems provably secure against chosen ciphertext attacks

We show how to construct a public-key cryptosystem (as originally defined by DiNe and Hellman) secure against chosen ciphertezt attacks, given a public-key cryptosystern secure against passive eavesdropping and a noninteractive zero-knowledge proof system in the shared string model. No such secure cryptosystems were known before. A concrete implementation can be based on quadratic residuosity intractability.

Perfectly-Secure Key Distribution for Dynamic Conferences

A key distribution scheme for dynamic conferences is a method by which initially an (off-line) trusted server distributes private individual pieces of information to a set of users. Later any group of users of a given size (a dynamic conference) is able to compute a common secure key. In this paper we study the theory and applications of such perfectly secure systems. In this setting, any group of t users can compute a common key by each user computing using only his private piece of information and the identities of the other t - 1 group users. Keys are secure against coalitions of up to k users, that is, even if k users pool together their pieces they cannot compute anything about a key of any t-size conference comprised of other users.First we consider a non-interactive model where users compute the common key without any interaction. We prove a lower hound on the size of the users piece of information of (k+t-1 t-1) times the size of the common key. We then establish the optimality of this bound, by describing and analyzing a scheme which exactly meets this limitation (the construction extends the one in [2]). Then, we consider the model where interaction is allowed in the common key computation phase, and show a gap between the models by exhibiting an interactive scheme in which the users information is only k + t - 1 times the size of the common key. We further show various applications and useful modifications of our basic scheme. Finally, we present its adaptation to network topologies with neighborhood constraints.

Proactive Secret Sharing Or: How to Cope With Perpetual Leakage

Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire life-time of the secret the adversary is restricted to compromise less than k of the n locations. For long-lived and sensitive secrets this protection may be insufficient.We propose an efficient proactive secret sharing scheme, where shares are periodically renewed (without changing the secret) in such a way that information gained by the adversary in one time period is useless for attacking the secret after the shares are renewed. Hence, the adversary willing to learn the secret needs to break to all k locations during the same time period (e.g., one day, a week, etc.). Furthermore, in order to guarantee the availability and integrity of the secret, we provide mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct shares when modification is detected.

A New Randomness Extraction Paradigm for Hybrid Encryption

We present a new approach to the design of IND-CCA2 secure hybrid encryption schemes in the standard model. Our approach provides an efficient generic transformation from 1-universal to 2-universal hash proof systems. The transformation involves a randomness extractor based on a 4-wise independent hash function as the key derivation function. Our methodology can be instantiated with efficient schemes based on standard intractability assumptions such as Decisional Diffie-Hellman, Quadratic Residuosity, and Pailliers Decisional Composite Residuosity. Interestingly, our framework also allows to prove IND-CCA2 security of a hybrid version of 1991s Damgards ElGamal public-key encryption scheme under the DDH assumption.

How to withstand mobile virus attacks (extended abstract)

We initiate a study of distributed adversarial model of computation in which faults are non-stationary and can move through the net work, analogous to a spread of a virus or a worm. We show how local computations (at each processor) and global computations can be polynomial factor-redundancy in the

On the Security of ElGamal Based Encryption

The ElGamal encryption scheme has been proposed several years ago and is one of the few probabilistic encryption schemes. However, its security has never been concretely proven based on clearly understood and accepted primitives. Here we show directly that the decision Diffie-Hellman assumption implies the security of the original ElGamal encryption scheme (with messages from a subgroup) without modification. In addition, we show that the opposite direction holds, i.e., the semantic security of the ElGamal encryption is actually equivalent to the decision Diffie-Hellman problem. We also present an exact analysis of the efficiency of the reduction.

Proactive public key and signature systems

Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for world-wide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certi cation authority keys, bank and e-cash keys, etc.). One crucial defense against exposure of private keys is o ered by threshold cryptography where the private key functions (like signatures or decryption) are distributed among several parties such that a predetermined number of parties must cooperate in order to correctly perform these operations. This protects keys from any single point of failure. An attacker needs to break into a multiplicity of locations before it can compromise the system. However, in the case of long-lived keys the attacker still has a considerable period of time (like a few years) to gradually break the system. Here we present proactive public key systems where the threshold solutions are further enhanced by periodic refreshment of the shared function in such a way that the private key (and its corresponding public key) is kept unchanged for as long as required, yet the breaking of the system requires the attacker to break into IBM Research, Haifa Scienti c Center, amir@haifa.vnet.ibm.com University of California, San Diego, markus@cs.ucsd.edu Massachusetts Institute of Technology, stasio@theory.lcs.mit.edu IBM T.J. Watson Research Center, hugo@watson.ibm.com CertCo, New York, moti@certco.com, moti@cs.columbia.edu several locations in a short period of time, e.g during one day or one week. We present such solutions for a variety of discrete log based cryptosystems including DSS and Schnorr signatures, ElGamal-like signatures and encryption, undeniable signatures, and more. We build on previous work on proactive secret sharing and threshold schemes, and develop a general methodology for the combination of many of these systems into secure proactive public key solutions.

How to share a function securely

We define the primitive of function sharing, a functional analog of secret sharing, and employ it to construct novel cryptosystems. The basic idea of function sharing is to split a hard to compute (trapdoor) function into shadow functions (or share-functions). The intractable function becomes easy to compute at a given point value when given any threshold (at least t out of i) of shadow functions evaluations at that point. Otherwise, the function remains hard. Furthermore, the function must remain intractable even after exposing up to t— 1 shadow functions and exposing values of all shadow functions at polynomially many inputs. The primitive enables the distribution of the power to perform cryptography (signature, decryption, etc.) to agents. This enables the design of various novel cryptosystems with improved integrity, availability and security properties. Our model should be contrasted with the model of secure function evaluation protocols. We require no channeIs between agents holding the shadow functions, as the agents act non-interactively on a publicly available input. Our security solely relies on secure memories (and results) as in regular cr yptosyst ems. In secure function evaluation, on the other hand, it is necessary to have private/ secured bilateral channels, interactive protocol, and security of all inputs – in addition to secure memories. *Dip. di Informatica ed Applicazioni Universit& di Salerno, Baronissi (SA), Italy. t Dept. of EE&CS, Univ. of Wisconsin Milwaukee, WI. Partially supported by NSF Grant NCR-9106327.