DOCSLIB.ORG

7Th USENIX Security Symposium (Security '98) Jan. 26-29, 1998

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
7Th USENIX Security Symposium (Security '98) Jan. 26-29, 1998 Review the Program. Important Dates to Remember: See the quality. Join us at the Hotel Discount Deadline: Monday, January 5, 1998 Security Symposium. Pre-Registration Deadline: Monday, January 5, 1998 Papers Presented at USENIX Program at-a-Glance Conferences are Refereed. The refereed papers were reviewed by the Sunday, January 25 Program Committee and selected for their 6:00 pm – 9:00 pm On-Site Registration quality from a large number of submissions. We thank the Program Committee for their 6:00 pm – 9:00 pm Welcome Reception hard work. Monday, January 26 Program Committee 7:30 am – 5:00 pm On-Site Registration 9:00 am – 5:00 pm Tutorial Program and Lunch Program Chair Tuesday, January 27 Avi Rubin, AT&T Labs – Research Committee 7:30 am – 5:00 pm On-Site Registration Carlisle Adams, Entrust Technologies 9:00 am – 5:00 pm Tutorial Program and Lunch Dave Balenson, Trusted Information Systems 6:00 pm – 10:00 pm Birds-of-a-Feather Sessions Steve Bellovin, AT&T Labs – Research Wednesday, January 28 Dan Boneh, Stanford University Diane Coe, Concept Five Technologies 7:30 am – 5:00 pm On-Site Registration Ed Felten, Princeton University 9:00 am – 10:30 am Opening Remarks and Keynote Li Gong, JavaSoft 11:00 am – 5:30 pm USENIX Technical Sessions Peter Honeyman, CITI, University of Michigan Noon – 7:00 pm Security ’98 Exhibition Hugo Krawczyk, Technion Jack Lacy, AT&T Labs – Research 7:00 pm – 9:00 pm Symposium Reception Hilarie Orman, DARPA/ITO Thursday, January 29 Mike Reiter, AT&T Labs – Research David Wagner, University of California, Berkeley 8:30 am – 5:00 pm USENIX Technical Sessions Readers 10:00 am – 2:00 pm Security ’98 Exhibition Katherine T. Fithen, CERT Trent Jaeger, IBM Watson Labs Invited Talks Coordinator “The fact that people with Table of Contents Greg Rose, QUALCOMM Australia different backgrounds 4–7 and perspectives gave Tutorials 7–8 About the Speakers their vision made this 9 Exhibition symposium a very vivid, Questions? 10 Keynote Address Email: [email protected] rich, and colorful one.” 10–11 Technical Program Phone: 714.588.8649 12 About USENIX Fax: 714.588.9706 Magda De Jong, 13 Conference Activities & Services Updates: http://www.usenix.org/events/sec98/ 14 Hewlett-Packard, Hotel and Travel Information 15 Registration 1996 Attendee 2 TO REGISTER, USE THE FORM ON PAGE A Letter from the Program Chair Dear Colleague: selecting the best among 65 high-quality sub- I invite you to the USENIX Security missions. These reports of research and new Symposium. This is the place where you will implementations cover a wide range, including: hear, discuss, then put to use the latest research, ■ Security of mobile code well-thought-out approaches, and tools and ■ Electronic commerce in actuality: how techniques for practical system security. Take money is being made on the net home lessons from real-world security practice ■ Intrusion detection: implementations of on how to assess what needs protecting, from superior new systems whom, and how best to go about it. ■ Security of the world wide web As the 7th USENIX Security Symposium Alongside the refereed papers, you’ll find an This is the place “ approaches, we find ourselves in exciting times. incredible line-up of invited speakers: Bill where you will More and more companies are realizing the Cheswick; Daniel Geer; Arjen Lenstra; Alfred hear, discuss, importance of securing their networks, their Menezes; Clifford Neuman; JoAnn Perry; then put to data and their computers. Long-awaited Marcus Ranum; and Shabbir Safdar. This is electronic commerce is becoming a reality, and use the latest your chance to hear it from the real pioneers of people are actually making money on the net. our field. research, well- The advent of Java and other platform- Meet colleagues with similar interests at the thought-out independent languages has enabled computa- Tuesday Birds-of-a-Feather Session or present approaches, tional models that only existed in theory to be your own on-going research in the Work-In- and tools and rapidly developed and deployed. The inherent Progress Session. You’ll want to check out the techniques for security risks have jump-started researchers into Exhibition where vendors will be demonstrat- action. ing products they hope will help you practice practical system The conference kicks off with your opportu- security more efficiently and effectively. Give security.” nity for in-depth study. Choose among tutorials them your feedback on what works and what is led by Bruce Schneier, Carl Ellison, Daniel still needed. Geer, Jon Rochlis, Brad Johnson, Jim Duncan, Please join us. I hope to see you in San Gary McGraw, and Rik Farrow, all experienced, Antonio on January 26–29, 1998. respected instructors. You’ll master both theory and effective approaches and techniques in areas you need: Security on the Web; Windows NT Security; Certification; Java Security; Handling Aviel D. Rubin, Program Chair Security Incidents; Network Security Profiles; AT&T Labs – Research Introduction to Cryptography; and Internet For Security Symposium Program Committee Crypto Protocols. Expect to hear about the latest research. The Program Committee had the pleasure of PS: Register early for tutorials—they often fill up fast. You can use our on-line registration form: http://www.usenix.org/events/sec98/ R EGISTER ON-LINE AT: http://www.usenix.org/events/sec98/ 3 Tutorial Program Monday –Tuesday, January ‒, ecurity is one of the most urgent topics in Continuing Education Units today’s computing environments. USENIX USENIX provides Continuing Education Units (CEUs) Stutorials at Security ’98 provide you with the for a small additional administrative fee. The CEU is Gain command in-depth and immediately-useful instruction you a nationally recognized standard of unit of measure of the newest need to meet the demands. These tutorials survey for continuing education and training, and is used by security tools, the topic and then dive into the specifics of what- thousands of organizations. Each full-day USENIX to-do and how-to-do it. Instructors are well-known tutorial qualifies for 0.6 CEUs. You can request CEU techniques, and experts in their topics and selected with care for credit by completing the CEU section on the regis- approaches, then their ability to teach complex subjects. Attend the tration form. USENIX provides a certificate for each USENIX tutorials. attendee taking a tutorial for CEU credit and main- put them to tains transcripts for all CEU students. CEUs are not Our guarantee: If you’re not happy, we’re not the same as college credits. Consult your employer work in your happy. If you feel a tutorial does not meet the high or school to determine their applicability. organization standards you have come to expect from USENIX, let us know by the first break and we will change Register now to guarantee your first choice. Seating immediately. you to any available tutorial immediately. is limited. Register by January 5, and save $50. Tutorial Overview Full day tutorials run from 9:00 AM to 5:00 PM. Half-day tutorials, marked “AM” or “PM” run either from 9:00 AM to 12:30 PM or from 1:30 PM to 5:00 PM. Full-day tutorials may not be split. Monday, January 26 Tuesday, January 27 Register M1 Security on the World Wide Web T1 Handling Computer and Network early for M2 Windows NT Security Security Incidents T2 Network Security Profiles: M3AM Certification: Identity, Trust, tutorials — What Every Hacker Already Knows and Empowerment About You, and What To Do About It they often M4PM Towards Secure Executable Content: T3AM sell out. Java Security Using Cryptography T4PM Cryptography for the Internet Tutorial fees include: • Admission to the tutorials you select • Printed and bound tutorial materials Registration from your session Discount Deadline • Lunch Jan. 5th Hotel Discount Deadline • Admission to the Vendor Exhibition January 5th, 1998 4 FAX .. FOR MORE INFORMATION Tutorial Program Monday –Tuesday, January ‒, Monday, January 26 Windows NT is the result of an unusual couriers carrying keys between people to open marriage between disparate operating systems: secure channels. This suggestion has grown into a completely reworked replacement for Digital public key certificates, binding names to keys, M1 Security on the World Wide Equipment’s VMS and Windows 3.1. On the and to suggestions for national or global Public Web one hand, there are security features to satisfy Key Infrastructures (PKIs). Many people advo- the most avid control freak: centralized control Daniel Geer, CertCo, LLC, and cate using such certificates or PKIs without over user accounts, file sharing, desktop appear- realizing what they are getting in return. They Jon Rochlis, SystemExperts Corp. ance, fine grained object access, encryption, a take the word of professional cryptographers. Who should attend: Anyone responsible security monitor, and auditing sensitive enough Professional cryptographers, meanwhile, are for running a web site who wants the under- to capture most security related events. On the sloppy in their use of words (using “name” and stand the tradeoffs in making it secure. Anyone other hand, it provides support for an API that “identity” as if they were interchangeable) and seeking to understand how the web is likely to has been the main target for virus writers, and using “trust” without any qualifiers (as in “In be secured application programmers who have never even God We Trust”). considered the notion of security. In fact, each kind of certificate empowers The World Wide Web This tutorial explains the security mech- a public key in some way. This tutorial will “Excellent exe- is perhaps the most anisms in Windows NT, and how they can teach people how to identify what kind of cution of intro- important enabler (so best be used to improve the security of net- empowerment they need for their public keys to concept-to far) of electronic com- worked NT systems.
Load more

Recommended publications
  • Research Notices
    AMERICAN MATHEMATICAL SOCIETY Research in Collegiate Mathematics Education. V Annie Selden, Tennessee Technological University, Cookeville, Ed Dubinsky, Kent State University, OH, Guershon Hare I, University of California San Diego, La jolla, and Fernando Hitt, C/NVESTAV, Mexico, Editors This volume presents state-of-the-art research on understanding, teaching, and learning mathematics at the post-secondary level. The articles are peer-reviewed for two major features: (I) advancing our understanding of collegiate mathematics education, and (2) readability by a wide audience of practicing mathematicians interested in issues affecting their students. This is not a collection of scholarly arcana, but a compilation of useful and informative research regarding how students think about and learn mathematics. This series is published in cooperation with the Mathematical Association of America. CBMS Issues in Mathematics Education, Volume 12; 2003; 206 pages; Softcover; ISBN 0-8218-3302-2; List $49;AII individuals $39; Order code CBMATH/12N044 MATHEMATICS EDUCATION Also of interest .. RESEARCH: AGul<lelbrthe Mathematics Education Research: Hothomatldan- A Guide for the Research Mathematician --lllll'tj.M...,.a.,-- Curtis McKnight, Andy Magid, and -- Teri J. Murphy, University of Oklahoma, Norman, and Michelynn McKnight, Norman, OK 2000; I 06 pages; Softcover; ISBN 0-8218-20 16-8; List $20;AII AMS members $16; Order code MERN044 Teaching Mathematics in Colleges and Universities: Case Studies for Today's Classroom Graduate Student Edition Faculty
    [Show full text]
  • A Decade of Lattice Cryptography
    Full text available at: http://dx.doi.org/10.1561/0400000074 A Decade of Lattice Cryptography Chris Peikert Computer Science and Engineering University of Michigan, United States Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000074 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is C. Peikert. A Decade of Lattice Cryptography. Foundations and Trends R in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2014. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-113-9 c 2016 C. Peikert All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for in- ternal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.
    [Show full text]
  • The Best Nurturers in Computer Science Research
    The Best Nurturers in Computer Science Research Bharath Kumar M. Y. N. Srikant IISc-CSA-TR-2004-10 http://archive.csa.iisc.ernet.in/TR/2004/10/ Computer Science and Automation Indian Institute of Science, India October 2004 The Best Nurturers in Computer Science Research Bharath Kumar M.∗ Y. N. Srikant† Abstract The paper presents a heuristic for mining nurturers in temporally organized collaboration networks: people who facilitate the growth and success of the young ones. Specifically, this heuristic is applied to the computer science bibliographic data to find the best nurturers in computer science research. The measure of success is parameterized, and the paper demonstrates experiments and results with publication count and citations as success metrics. Rather than just the nurturer’s success, the heuristic captures the influence he has had in the indepen- dent success of the relatively young in the network. These results can hence be a useful resource to graduate students and post-doctoral can- didates. The heuristic is extended to accurately yield ranked nurturers inside a particular time period. Interestingly, there is a recognizable deviation between the rankings of the most successful researchers and the best nurturers, which although is obvious from a social perspective has not been statistically demonstrated. Keywords: Social Network Analysis, Bibliometrics, Temporal Data Mining. 1 Introduction Consider a student Arjun, who has finished his under-graduate degree in Computer Science, and is seeking a PhD degree followed by a successful career in Computer Science research. How does he choose his research advisor? He has the following options with him: 1. Look up the rankings of various universities [1], and apply to any “rea- sonably good” professor in any of the top universities.
    [Show full text]
  • Algebraic Pseudorandom Functions with Improved Efficiency from the Augmented Cascade*
    Algebraic Pseudorandom Functions with Improved Efficiency from the Augmented Cascade* DAN BONEH† HART MONTGOMERY‡ ANANTH RAGHUNATHAN§ Department of Computer Science, Stanford University fdabo,hartm,[email protected] September 8, 2020 Abstract We construct an algebraic pseudorandom function (PRF) that is more efficient than the classic Naor- Reingold algebraic PRF. Our PRF is the result of adapting the cascade construction, which is the basis of HMAC, to the algebraic settings. To do so we define an augmented cascade and prove it secure when the underlying PRF satisfies a property called parallel security. We then use the augmented cascade to build new algebraic PRFs. The algebraic structure of our PRF leads to an efficient large-domain Verifiable Random Function (VRF) and a large-domain simulatable VRF. 1 Introduction Pseudorandom functions (PRFs), first defined by Goldreich, Goldwasser, and Micali [GGM86], are a fun- damental building block in cryptography and have numerous applications. They are used for encryption, message integrity, signatures, key derivation, user authentication, and many other cryptographic mecha- nisms. Beyond cryptography, PRFs are used to defend against denial of service attacks [Ber96, CW03] and even to prove lower bounds in learning theory. In a nutshell, a PRF is indistinguishable from a truly random function. We give precise definitions in the next section. The fastest PRFs are built from block ciphers like AES and security is based on ad-hoc inter- active assumptions. In 1996, Naor and Reingold [NR97] presented an elegant PRF whose security can be deduced from the hardness of the Decision Diffie-Hellman problem (DDH) defined in the next section.
    [Show full text]
  • Dan Boneh Cryptography Professor, Professor of Electrical Engineering and Senior Fellow at the Freeman Spogli Institute for International Studies Computer Science
    Dan Boneh Cryptography Professor, Professor of Electrical Engineering and Senior Fellow at the Freeman Spogli Institute for International Studies Computer Science CONTACT INFORMATION • Administrator Ruth Harris - Administrative Associate Email [email protected] Tel (650) 723-1658 Bio BIO Professor Boneh heads the applied cryptography group and co-direct the computer security lab. Professor Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, web security, security for mobile devices, and cryptanalysis. He is the author of over a hundred publications in the field and is a Packard and Alfred P. Sloan fellow. He is a recipient of the 2014 ACM prize and the 2013 Godel prize. In 2011 Dr. Boneh received the Ishii award for industry education innovation. Professor Boneh received his Ph.D from Princeton University and joined Stanford in 1997. ACADEMIC APPOINTMENTS • Professor, Computer Science • Professor, Electrical Engineering • Senior Fellow, Freeman Spogli Institute for International Studies HONORS AND AWARDS • ACM prize, ACM (2015) • Simons investigator, Simons foundation (2015) • Godel prize, ACM (2013) • IACR fellow, IACR (2013) 4 OF 6 PROFESSIONAL EDUCATION • PhD, Princeton (1996) LINKS • http://crypto.stanford.edu/~dabo: http://crypto.stanford.edu/~dabo Page 1 of 2 Dan Boneh http://cap.stanford.edu/profiles/Dan_Boneh/ Teaching COURSES 2021-22 • Computer and Network Security: CS 155 (Spr) • Cryptocurrencies and blockchain technologies: CS 251 (Aut) •
    [Show full text]
  • Remote Side-Channel Attacks on Anonymous Transactions
    Remote Side-Channel Attacks on Anonymous Transactions Florian Tramer and Dan Boneh, Stanford University; Kenny Paterson, ETH Zurich https://www.usenix.org/conference/usenixsecurity20/presentation/tramer This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Remote Side-Channel Attacks on Anonymous Transactions Florian Tramèr∗ Dan Boneh Kenneth G. Paterson Stanford University Stanford University ETH Zürich Abstract Bitcoin’s transaction graph. The same holds for many other Privacy-focused crypto-currencies, such as Zcash or Monero, crypto-currencies. aim to provide strong cryptographic guarantees for transaction For those who want transaction privacy on a public confidentiality and unlinkability. In this paper, we describe blockchain, systems like Zcash [45], Monero [47], and several side-channel attacks that let remote adversaries bypass these others offer differing degrees of unlinkability against a party protections. who records all the transactions in the network. We focus We present a general class of timing side-channel and in this paper on Zcash and Monero, since they are the two traffic-analysis attacks on receiver privacy. These attacks en- largest anonymous crypto-currencies by market capitaliza- able an active remote adversary to identify the (secret) payee tion. However our approach is more generally applicable, and of any transaction in Zcash or Monero. The attacks violate we expect other anonymous crypto-currencies to suffer from the privacy goals of these crypto-currencies by exploiting similar vulnerabilities. side-channel information leaked by the implementation of Zcash and Monero use fairly advanced cryptographic different system components.
    [Show full text]
  • Generalized Hierarchical Identity-Based Signcryption
    1078 JOURNAL OF COMPUTERS, VOL. 5, NO. 7, JULY 2010 Generalized Hierarchical Identity-Based Signcryption Hao Wang School of computer science and technology, Shandong University, Jinan, China Email: [email protected] Qiuliang Xu1 and Xiufeng Zhao1,2 1 School of computer science and technology, Shandong University, Jinan, China 2 Institute of Electronic Technology, Information Engineering University, Zhengzhou, China Email: [email protected], [email protected] Abstract—In this paper, we propose a generic method to allows delegation as above is called Hierarchical Identity- construct Hierarchical Identity-Based Signcryption scheme. Based Encryption (HIBE). In HIBE, messages are Using this method, a Hierarchical Identity-Based Sign- encrypted for identity-vectors, representing nodes in the cryption scheme can be converted from any Hierarchical identity hierarchy. This concept was introduced by Identity-Based Encryption scheme. Then, we give a concrete Horwitz and Lynn [9], who also described a partial instantiation, which is the first constant-size fully secure solution to it, and the first fully functional HIBE system hierarchical identity-based signcryption scheme in the standard model. Furthermore, our scheme can achieve was described by Gentry and Silverberg [10]. CCA2 security level without using any additional crypto- In many situations we want to enjoy confidentiality, graphy primitive. authenticity and non-repudiation of message simulta- neously. The general IBE (HIBE) can not guarantee the Index Terms—hierarchical identity-based signcryption, fully authenticity and non-repudiation. A traditional method to secure, constant-size ciphertext, composite order bilinear solve this problem is to digitally sign a message then group followed by an encryption (signature-then-encryption) that can have two problems: low efficiency and high cost of such summation, and the case that any arbitrary I.
    [Show full text]
  • A Fully Homomorphic Encryption Scheme
    A FULLY HOMOMORPHIC ENCRYPTION SCHEME A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Craig Gentry September 2009 °c Copyright by Craig Gentry 2009 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Dan Boneh) Principal Adviser I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (John Mitchell) I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Serge Plotkin) Approved for the University Committee on Graduate Studies. iii Abstract We propose the ¯rst fully homomorphic encryption scheme, solving a central open problem in cryptography. Such a scheme allows one to compute arbitrary functions over encrypted data without the decryption key { i.e., given encryptions E(m1);:::;E(mt) of m1; : : : ; mt, one can e±ciently compute a compact ciphertext that encrypts f(m1; : : : ; mt) for any e±- ciently computable function f. This problem was posed by Rivest et al. in 1978. Fully homomorphic encryption has numerous applications. For example, it enables private queries to a search engine { the user submits an encrypted query and the search engine computes a succinct encrypted answer without ever looking at the query in the clear.
    [Show full text]
  • Zero-Knowledge Proofs on Secret-Shared Data Via Fully Linear Pcps∗
    Zero-Knowledge Proofs on Secret-Shared Data via Fully Linear PCPs∗ Dan Bonehy Elette Boylez Henry Corrigan-Gibbs§ Niv Gilboa{ Yuval Ishaik August 21, 2019 Abstract We introduce and study the notion of fully linear probabilistically checkable proof systems. In such a proof system, the verifier can make a small number of linear queries that apply jointly to the input and a proof vector. Our new type of proof system is motivated by applications in which the input statement is not fully available to any single verifier, but can still be efficiently accessed via linear queries. This situation arises in scenarios where the input is partitioned or secret-shared between two or more parties, or alternatively is encoded using an additively homomorphic encryption or commitment scheme. This setting appears in the context of secure messaging platforms, verifiable outsourced computation, PIR writing, private computation of aggregate statistics, and secure multiparty computation (MPC). In all these applications, there is a need for fully linear proof systems with short proofs. While several efficient constructions of fully linear proof systems are implicit in the interactive proofs literature, many questions about their complexity are open. We present several new constructions of fully linear zero-knowledge proof systems with sublinear proof size for “simple” or “structured” languages. For example, in the non-interactive setting of fully linear PCPs, we n show how to prove that an inputp vector x 2pF , for a finite field F, satisfies a single degree-2 equation with a proof of size O( n) and O( n) linear queries, which we show to be optimal.
    [Show full text]
  • Data Collection with Self-Enforcing Privacy
    Data Collection With Self-Enforcing Privacy Philippe Golle Frank McSherry Ilya Mironov Palo Alto Research Center Microsoft Research Microsoft Research [email protected] [email protected] [email protected] ABSTRACT an untrustworthy pollster who is unable to make concrete Consider a pollster who wishes to collect private, sensitive privacy assurances. data from a number of distrustful individuals. How might The same problem affects individuals who are compelled the pollster convince the respondents that it is trustwor- to provide sensitive data to an untrusted party. Examples thy? Alternately, what mechanism could the respondents such as the census and medical data highlight cases where insist upon to ensure that mismanagement of their data is individuals are compelled to accuracy, either through law or detectable and publicly demonstrable? the threat of poor treatment, but the absence of “privacy We detail this problem, and provide simple data submis- oversight” leaves many uncomfortable. What mechanisms sion protocols with the properties that a) leakage of private can be used to assure individuals that poor privacy discipline data by the pollster results in evidence of the transgression can be caught and publicly demonstrated? and b) the evidence cannot be fabricated without break- We stress that this problem is different from the question ing cryptographic assumptions. With such guarantees, a of how the pollster or data collector can manage data to pre- responsible pollster could post a “privacy-bond”, forfeited serve privacy. Privacy preserving data mining research has to anyone who can provide evidence of leakage. The respon- blossomed of late and gives many satisfying answers to this dents are assured that appropriate penalties are applied to question [1].
    [Show full text]
  • Elliptic Curve Cryptography: Invention and Impact: the Invasion of the Number Theorists
    Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 1 / 69 Elliptic Curves Serge Lang It is possible to write endlessly about Elliptic Curves – this is not a threat! Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 2 / 69 Elliptic Curves A field that should be better known Studied intensively by number theorists for past 100 years. Until recently fairly arcane. Before 1985 – virtually unheard of in crypto and theoretical computer science community. In mathematical community: Mathematical Reviews has about 200 papers with “elliptic curve” in the title before 1984, but in all now has about 2000. A google search yield 66 pages of hits for the phrase “elliptic curve cryptography”. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 3 / 69 Elliptic Curves Elliptic Curves Set of solutions (points) to an equation E : y 2 = x3 + ax + b. More generally any cubic curve – above is “Weierstrass Form”. The set has a natural geometric group law, which also respects field of definition – works over finite fields. 02 3 Weierstrass p function: p = 4p − g2p − g3. Only doubly-periodic complex function. The hardest thing about the p function is making the Weierstrass p – Lipman Bers. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 4 / 69 Elliptic Curves Chord and Tangent Process Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 5 / 69 Elliptic Curves Karl Weierstrass Victor S.
    [Show full text]
  • Batching Techniques for Accumulators with Applications to Iops and Stateless Blockchains
    Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains Dan Boneh, Benedikt B¨unz,Ben Fisch Stanford University Abstract We present batching techniques for cryptographic accumulators and vec- tor commitments in groups of unknown order. Our techniques are tailored for distributed settings where no trusted accumulator manager exists and up- dates to the accumulator are processed in batches. We develop techniques for non-interactively aggregating membership proofs that can be verified with a constant number of group operations. We also provide a constant sized batch non-membership proof for a large number of elements. These proofs can be used to build the first positional vector commitment (VC) with constant sized openings and constant sized public parameters. As a core building block for our batching techniques we develop several succinct proof systems in groups of unknown order. These extend a recent construction of a succinct proof of correct exponentiation, and include a succinct proof of knowledge of an integer discrete logarithm between two group elements. We circumvent an impossibility result for Sigma-protocols in these groups by using a short trapdoor-free CRS. We use these new accumulator and vector commitment constructions to design a stateless blockchain, where nodes only need a constant amount of storage in order to participate in consensus. Further, we show how to use these techniques to reduce the size of IOP instantiations, such as STARKs. 1 Introduction A cryptographic accumulator [Bd94] is a primitive that produces a short binding commitment to a set of elements together with short membership and/or non- membership proofs for any element in the set.
    [Show full text]