[PDF] Top 20 Universally Composable Non-Interactive Key Exchange

... adversarial) key registrations plays a crucial ...the non-interactivity we refer to [11], where it is shown that the energy costs of communication can be significantly reduced when using ... See full document

... that key-independent reductions play in our ...some key generation algorithm), and assuming that ke can be securely composed with ...obtain non-trivial information about the key (e.g. if the ... See full document

... Only few security definitions apply to the case of unilateral authentication; the first formal treatment of this setting has been given by Halevi and Krawczyk [HK99], with a focus on password- based protocols. Shoup ... See full document

... a key exchange scheme and encrypt with a symmetric-key encryption ...be universally composable but, later, this turned out to be false [BDD + ... See full document

... n-way Non-Interactive Key Exchange ...a Non-Interactive Key Exchange (NIKE) protocol in which n par- ties create a shared secret key that only they can ... See full document

... that interactive cryptographic assumptions are necessary, we run into certain ...verification key but for a different message to be ...verification key; this implies that the valid signature in the ... See full document

... consider the stronger model of no erasures. [CKWZ13] presented a framework for adaptively-secure OT in the global crs model. They provide instantiations under vari- ous assumptions- DLIN, Symmetric External Diffie ... See full document

... secret key can be extracted from every ...as non- frameability or anonymity that capture security against a corrupt issuer, the issuer’s key is generated honestly within the game, instead of being ... See full document

... Previous works examine OT protocols in various security models and setup assumptions. In the MPC setting, it is desirable to consider models which allow to reason about the security of protocols when composed with ... See full document

... Realizing the technical heart of Hohenberger-Sahai-Waters approach [HSW14] is to replace the programmable RO with a specific hash function H satisfying suitable programmability, we successfully extend their approach in ... See full document

... and non-interactive zero-knowledge (NIZK) proofs that can be efficiently instantiated under standard computational assumptions (DDH) in the restricted programmable and observable global random oracle model ... See full document

... Several researchers have explored constructions using stateless tokens. Stateless tokens are pre- sumably easier and/or cheaper to build, and are resistant to resetting attacks whereby an adversary cuts off the power ... See full document

... Next, we apply our proposed membership encryption scheme to construct an 1-out-of-n priced oblivi- ous transfer protocol that is UC-secure under the assumption that there is an honestly generated common reference string, ... See full document

... Abstract. In this paper, we propose efficient protocols to obliviously execute non-deterministic and deterministic finite automata (NFA and DFA) in the arithmetic black box (ABB) model. In contrast to previous ... See full document

... Our proof strategy requires several heavyweight tools. In particular, we assume multilin- ear maps (however in a way that is compatible with the recent candidates [24, 17]), indistin- guishability obfuscation, and a ... See full document

... a non-interactive key exchange protocol and a key exchange protocol, a new encryption scheme which is secure against chosen ciphertext attack, with a very simple and tight ... See full document

... secret key on an extraction query, we can check whether the given public key was actually valid and in this case use the obtained secret key later to compute the unique shared ...secret key ... See full document

... of key-management is to preserve some kind of policy on a global ...of key A may depend on the security of keys B and ...all non-trivial key management systems allow keys to encrypt other ... See full document

... generated key in the bulletin-board, and as a verifier it may request verification of messages with respect to keys of its choice (instead of the key registered in the ...signing key without ... See full document

... As mentioned above, the environment E in the basic UC experiment is unable to invoke protocols that share state in any way with the challenge protocol. In many scenarios, the challenge protocol produces information that ... See full document