## CryptoDB

### Cynthia Dwork

#### Publications

Year
Venue
Title
2019
EUROCRYPT
2017
TCC
2016
CRYPTO
2016
TCC
2015
ASIACRYPT
2009
TCC
2009
TCC
2008
CRYPTO
2006
EUROCRYPT
2006
TCC
2006
CRYPTO
2005
CRYPTO
2005
TCC
2004
CRYPTO
2004
EUROCRYPT
2004
TCC
2003
CRYPTO
1999
EPRINT
One of the toughest challenges in designing cryptographic protocols is to design them so that they will remain secure even when composed. For example, concurrent executions of a zero-knowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zero-knowledge in toto. In this work we: (1) Suggest time as a mechanism to design concurrent cryptographic protocols and in particular maintaining zero-knowledge under concurrent execution. (2) Introduce the notion of of Deniable Authentication and connect it to the problem of concurrent zero-knowledge. We do not assume global synchronization, however we assume an (alpha,beta) timing constraint: for any two processors $P_1$ and $P_2$, if $P_1$ measures alpha elapsed time on its local clock and $P_2$ measures beta elapsed time on its local clock, and $P_2$ starts after $P_1$ does, then $P_2$ will finish after $P_1$ does. We show that for an adversary controlling all the processors clocks (as well as their communication channels) but which is constrained by an (alpha,beta) constraint there exist four-round almost concurrent zero-knowledge interactive proofs and perfect concurrent zero-knowledge arguments for every language in NP. We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions, without recourse to timing, i.e., in the standard model.
1998
CRYPTO
1998
JOFC
1997
CRYPTO
1996
EPRINT
Consider a situation in which the transmission of encrypted messages is intercepted by an adversary who can later ask the sender to reveal the random choices (and also the secret key, if one exists) used in generating the ciphertext, thereby exposing the cleartext. An encryption scheme is <B>deniable</B> if the sender can generate fake random choices' that will make the ciphertext look like' an encryption of a different cleartext, thus keeping the real cleartext private. Analogous requirements can be formulated with respect to attacking the receiver and with respect to attacking both parties. In this paper we introduce deniable encryption and propose constructions of schemes with polynomial deniability. In addition to being interesting by itself, and having several applications, deniable encryption provides a simplified and elegant construction of <B>adaptively secure</B> multiparty computation.
1994
CRYPTO
1992
CRYPTO
1992
CRYPTO
1991
CRYPTO
1988
CRYPTO

#### Program Committees

TCC 2007
Crypto 2006 (Program chair)
TCC 2004
Eurocrypt 2003
Eurocrypt 1999