Results 1  10
of
15
Universally Composable Commitments
, 2001
"... We propose a new security measure for commitment protocols, called Universally Composable ..."
Abstract

Cited by 140 (8 self)
 Add to MetaCart
We propose a new security measure for commitment protocols, called Universally Composable
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 82 (16 self)
 Add to MetaCart
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Adaptively Secure Multiparty Computation
, 1996
"... A fundamental problem in designing secure multiparty protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographi ..."
Abstract

Cited by 77 (8 self)
 Add to MetaCart
A fundamental problem in designing secure multiparty protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographic primitives based on the computational limitations of the adversary.
Efficient and NonInteractive NonMalleable Commitment
, 2001
"... . We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication f ..."
Abstract

Cited by 57 (7 self)
 Add to MetaCart
. We present new constructions of nonmalleable commitment schemes, in the public parameter model (where a trusted party makes parameters available to all parties), based on the discrete logarithm or RSA assumptions. The main features of our schemes are: they achieve nearoptimal communication for arbitrarilylarge messages and are noninteractive. Previous schemes either required (several rounds of) interaction or focused on achieving nonmalleable commitment based on general assumptions and were thus efficient only when committing to a single bit. Although our main constructions are for the case of perfectlyhiding commitment, we also present a communicationefficient, noninteractive commitment scheme (based on general assumptions) that is perfectly binding. 1
On Concurrent ZeroKnowledge with PreProcessing
 Proceedings of Advances in Cryptology (CRYPT099
, 1999
"... Abstract. Concurrent ZeroKnowledge protocols remain zeroknowledge even when many sessions of them are executed together. These protocols have applications in a distributed setting, where many executions of the same protocol must take place at the same time by many parties, such as the Internet. In ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
Abstract. Concurrent ZeroKnowledge protocols remain zeroknowledge even when many sessions of them are executed together. These protocols have applications in a distributed setting, where many executions of the same protocol must take place at the same time by many parties, such as the Internet. In this paper, we are concerned with the number of rounds of interaction needed for such protocols and their e ciency. Here, we show an e cient constantround concurrent zeroknowledge protocol with preprocessing for all languages in NP, where both the preprocessing phase and the proof phase each require 3 rounds of interaction. We make no timing assumptions or assumptions on the knowledge of the number of parties in the system. Moreover, we allow arbitrary interleavings in both the preprocessing and in the proof phase. Our techniques apply to both zeroknowledge proof systems and zeroknowledge arguments and we show how to extend our technique so that polynomial number of zeroknowledge proofs/arguments can be executed after the preprocessing phase is done. 1
On SimulationSound Trapdoor Commitments
 In proceedings of EUROCRYPT ’04, LNCS series
, 2003
"... We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any oneway functions, and how to construct very efficient SSTC schemes based on specific numbertheoretic assumptions. We also show how to construct simulationsound, nonmalleable, and universallycomposable zeroknowledge protocols using SSTC schemes, yielding, for instance, the most efficient universallycomposable zeroknowledge protocols known. Finally, we explore the relation between SSTC schemes and nonmalleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are nonmalleable.
Efficient Cryptographic Protocols Preventing “ManintheMiddle” Attacks
 COLUMBIA UNIVERSITY
, 2002
"... In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary inserts, deletes, or arbitrarily modifies messages sent from one user to another. Passive attacks are well characterized (the adversary’s choices are inherently limited) and techniques for achieving security against passive attacks are relatively well understood. Indeed, cryptographers have long focused on methods for countering passive eavesdropping attacks, and much work in the 1970’s and 1980’s has dealt with formalizing notions of security and providing provablysecure solutions for this setting. On the other hand, active attacks are not well characterized and precise modeling has been difficult. Few techniques exist for dealing with active attacks, and designing practical protocols secure against such attacks remains a challenge. This dissertation considers active attacks in a variety of settings and provides new, provablysecure protocols preventing such attacks. Proofs of security are in the standard cryptographic model and rely on wellknown cryptographic assumptions. The protocols presented here are efficient and
Blackbox constructions of twoparty protocols from oneway functions
 In TCC
, 2009
"... Abstract. We exhibit constructions of the following twoparty cryptographic protocols given only blackbox access to a oneway function: – constantround zeroknowledge arguments (of knowledge) for any language in NP; – constantround trapdoor commitment schemes; – constantround parallel cointossi ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Abstract. We exhibit constructions of the following twoparty cryptographic protocols given only blackbox access to a oneway function: – constantround zeroknowledge arguments (of knowledge) for any language in NP; – constantround trapdoor commitment schemes; – constantround parallel cointossing. Previous constructions either require stronger computational assumptions (e.g. collisionresistant hash functions), nonblackbox access to a oneway function, or a superconstant number of rounds. As an immediate corollary, we obtain a constantround blackbox construction of secure twoparty computation protocols starting from only semihonest oblivious transfer. In addition, by combining our techniques with recent constructions of concurrent zeroknowledge and nonmalleable primitives, we obtain blackbox constructions of concurrent zeroknowledge arguments for NP and nonmalleable commitments starting from only oneway functions. Key words: blackbox constructions, zeroknowledge arguments, trapdoor commitments, parallel cointossing, secure twoparty computation, nonmalleable commitments 1
Adaptive ZeroKnowledge Proofs and Adaptively Secure Oblivious Transfer
, 2009
"... In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or adaptive (meaning that it can choose to corrupt ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or adaptive (meaning that it can choose to corrupt parties during the protocol execution and based on what it sees). In this paper, we study two fundamental questions relating to the basic zeroknowledge and oblivious transfer protocol problems: • Adaptive zeroknowledge proofs: We ask whether it is possible to construct adaptive zeroknowledge proofs (with unconditional soundness). Beaver (STOC 1996) showed that known zeroknowledge proofs are not adaptively secure, and in addition showed how to construct zeroknowledge arguments (with computational soundness). • Adaptively secure oblivious transfer: All known protocols for adaptively secure oblivious transfer rely on seemingly stronger hardness assumptions than for the case of static adversaries. We ask whether this is inherent, and in particular, whether it is possible to construct adaptively secure oblivious transfer from enhanced trapdoor permutations alone.
Equivocal Blind Signatures and Adaptive UCSecurity
, 2007
"... We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where a simulator can construct the internal state of the client so that it matches a simulated transcript even after a signature was released. We present a general construction methodology for building practical adaptively secure blind signatures: the starting point is a 2move “lite blind signature”, a lightweight 2party signature protocol that we formalize and implement both generically as well as number theoretically: formalizing a primitive as “lite ” means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zeroknowledge (ZK) related security requirements from the remaining security properties in the primitive’s design methodology. We then focus on the exact ZK requirements for building blind signatures. To this effect, we formalize two special ZK ideal functionalities, singleverifierZK (SVZK) and singleproverZK (SPZK) and we investigate the requirements for realizing them in a commitandprove fashion as building blocks for adaptively secure UC blind signatures. SVZK can be realized without relying on a multisession UC commitment; as