Learn More
We introduce the notion of abuse-free distributed contract signing, that is, distributed contract signing in which no party ever can prove to a third party that he is capable of choosing whether to validate or invalidate the contract. Assume Alice and Bob are signing a contract. If the contract protocol they use is not abuse-free, then it is possible for(More)
When designing password-authenticated key exchange protocols (as opposed to key exchange protocols authenticated using cryptographically secure keys), one must not allow any information to be leaked that would allow verification of the password (a weak shared key), since an attacker who obtains this information may be able to run an off-line dictionary(More)
We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications and whose local private key is activated with a password or PIN can be immunized to offline dictionary attacks in case the device is captured. Our techniques do not assume tamper resistance of the device but rather(More)
Typical protocols for password-based authentication assume a single server which stores all the information (e.g., the password) necessary to authenticate a user. Unfortunately, an inherent limitation of this approach (assuming low-entropy passwords are used) is that the user's password is exposed if this server is ever compromised. To address this issue, a(More)
We introduce new eecient techniques for sharing cryptographic functions in a distributed dynamic fashion. These techniques dynamically and securely transform a distributed function (or secret sharing) representation between tout of -l (polynomial sharing) and tout of -t (additive sharing). We call the techniques poly-to-sum and sum-to-poly, respectively.(More)
We propose and realize a definition of security for password-based key exchange within the framework of universally composable (UC) security, thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For(More)
In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised,(More)