Results 1  10
of
15
Limits of Provable Security From Standard Assumptions
, 2011
"... We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing (i.e., blackbox) reduction. These results follow from a general result showing that Turing reductions cannot be used to prove security of constantround sequentially witnesshiding specialsound protocols for unique witness relations, based on standard assumptions; we emphasize that this result holds even if the protocol makes nonblackbox use of the
ConstantRound NonMalleable Commitments from Any OneWay Function
, 2011
"... We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the strong ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the stronger notions of concurrent nonmalleability and robustness. As a corollary, we establish that constantround nonmalleable zeroknowledge arguments for NP can be based on oneway functions and constantround secure multiparty computation can be based on enhanced trapdoor permutations; also here, earlier protocols additionally required either collisionresistant hash functions or subexponential oneway functions.
Concurrent zero knowledge in the bounded player model
, 2012
"... In this paper we put forward the Bounded Player Model for secure computation. In this new model, the number of players that will ever be involved in secure computations is bounded, but the number of computations has no apriori bound. Indeed, while the number of devices and people on this planet can ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
In this paper we put forward the Bounded Player Model for secure computation. In this new model, the number of players that will ever be involved in secure computations is bounded, but the number of computations has no apriori bound. Indeed, while the number of devices and people on this planet can be realistically estimated and bounded, the number of computations these devices will run can not be realistically bounded. We stress that in the Bounded Player model, in addition to no apriori bound on the number of sessions, there is no synchronization barrier, no trusted party, and simulation must be performed in polynomial time. In this setting, we achieve concurrent Zero Knowledge (cZK) with sublogarithmic round complexity. Our security proof is (necessarily) nonblackbox, our simulator is “straightline” and works as long as the number of rounds is ω(1). We further show that unlike previously studied relaxations of the standard model (e.g., timing assumptions, superpolynomial simulation), concurrentsecure computation is impossible to achieve in the Bounded Player model. This gives evidence that our model is “closer” to the standard model than previously studied models, and we believe might have additional applications.
Impossibility Results for Static Input Secure Computation
"... Abstract. Consider a setting of two mutually distrustful parties Alice and Bob who want to securely evaluate some function on prespecified inputs. The well studied notion of twoparty secure computation allows them to do so in the standalone setting. Consider a deterministic function (e.g., 1out ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. Consider a setting of two mutually distrustful parties Alice and Bob who want to securely evaluate some function on prespecified inputs. The well studied notion of twoparty secure computation allows them to do so in the standalone setting. Consider a deterministic function (e.g., 1outof2 bit OT) that Alice and Bob can not evaluate trivially and which allows only Bob to receive the output. We show that Alice and Bob can not securely compute any such function in the concurrent setting even when their inputs are prespecified. Our impossibility result also extends to all deterministic functions in which both Alice and Bob get the same output. Our results have implications in the boundedconcurrent setting as well. Consider a setting of two mutually distrustful parties Alice and Bob who want to securely evaluate a function f. The well studied notion of twoparty secure computation [Yao86,GMW87] allows them to do so. However this notion is only relevant to the standalone setting where security holds only if a single protocol session is executed in isolation. Additionally these secure computation protocols are interactive and Alice and Bob
Concurrently Secure Computation in Constant Rounds
"... We study the problem of constructing concurrently secure computation protocols in the plain model, where no trust is required in any party or setup. While the well established UC framework for concurrent security is impossible to achieve in this setting, meaningful relaxed notions of concurrent secu ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We study the problem of constructing concurrently secure computation protocols in the plain model, where no trust is required in any party or setup. While the well established UC framework for concurrent security is impossible to achieve in this setting, meaningful relaxed notions of concurrent security have been achieved. The main contribution of our work is a new technique useful for designing protocols in the concurrent setting (in the plain model). The core of our technique is a new rewindingbased extraction procedure which only requires the protocol to have a constant number of rounds. We show two main applications of our technique. We obtain the first concurrently secure computation protocol in the plain model with superpolynomial simulation (SPS) security that uses only a constant number of rounds and requires only standard assumptions. In contrast, the only previously known result (Canetti et al., FOCS’10) achieving SPS security based on standard assumptions requires polynomial number of rounds. Our second contribution is a new definition of input indistinguishable computation (IIC) and a constant round protocols satisfying that definition. Our definition of input indistinguishable computation is a simplification and strengthening of the definition of Micali et al. (FOCS’06) in various directions. Most notably, our definition provides meaningful security guarantees even for randomized functionalities. Interestingly, we show that in fact the same protocol satisfies both the SPS and the IIC security notions.
RoundEfficient BlackBox Construction of Composable MultiParty Computation
, 2014
"... We present a roundefficient blackbox construction of a general MPC protocol that satisfies composability in the plain model. The security of our protocol is proven in angelbased UC framework under the minimal assumption of the existence of semihonest oblivious transfer protocols. When the round ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We present a roundefficient blackbox construction of a general MPC protocol that satisfies composability in the plain model. The security of our protocol is proven in angelbased UC framework under the minimal assumption of the existence of semihonest oblivious transfer protocols. When the round complexity of the underlying oblivious transfer protocol is rot(n), the round complexity of our protocol is max ( eO(log² n); O(rot(n))). Since constantround semihonest oblivious transfer protocols can be constructed under standard assumptions (such as the existence of enhanced trapdoor permutations), our result gives eO(log² n)round protocol under these assumptions. Previously, only an O(max(n; rot(n)))round protocol was shown, where > 0 is an arbitrary constant. We obtain our MPC protocol by constructing a eO(log2 n)round CCAsecure commitment scheme in a blackbox way under the assumption of the existence of oneway functions.
Limits of security reductions from standard assumptions
 In STOC
, 2011
"... We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We show that the security of some wellknown cryptographic protocols, primitives and assumptions (e.g., the Schnorr identification scheme, commitments secure under adaptive selectivedecommitment, the “onemore ” discrete logarithm assumption) cannot be based on any standard assumption using a Turing (i.e., blackbox) reduction. These results follow from a general result showing that Turing reductions cannot be used to prove security of constantround sequentially witnesshiding specialsound protocols for unique witness relations, based on standard assumptions; we emphasize that this result holds even if the protocol makes nonblackbox use of the underlying assumption.
ON NONBLACKBOX SIMULATION AND THE IMPOSSIBILITY OF APPROXIMATE OBFUSCATION ∗
"... Abstract. The introduction of a nonblackbox simulation technique by Barak (FOCS 2001) has been a major landmark in cryptography, breaking the previous barriers of blackbox impossibility. Barak’s technique has given rise to various powerful applications and it is a key component in all known proto ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The introduction of a nonblackbox simulation technique by Barak (FOCS 2001) has been a major landmark in cryptography, breaking the previous barriers of blackbox impossibility. Barak’s technique has given rise to various powerful applications and it is a key component in all known protocols with nonblackbox simulation. We present the first nonblackbox simulation technique that does not rely on Barak’s technique (or on nonstandard assumptions). Invoking this technique, we obtain new and improved protocols resilient to various resetting attacks. These improvements include weaker computational assumptions and better round complexity. A prominent feature of our technique is its compatibility with rewinding techniques from classic blackbox zeroknowledge protocols. The combination of rewinding with nonblackbox simulation has proven instrumental in coping with challenging goals as: simultaneouslyresettable zeroknowledge, proofs of knowledge, and resettablesecurity from oneway functions. While previous works required tailored modifications to Barak’s technique, we give a general recipe for combining our technique with rewinding. This yields simplified resettable protocols in the above settings, as well as improvements in round complexity and required computational assumptions. The main ingredient in our technique is a new impossibility result for general program obfuscation. The results extend the impossibility result of Barak et al. (CRYPTO 2001) to the case of obfuscation with approximate functionality; thus, settling a question left open by Barak et al.. In the converse direction, we show a generic transformation
ConstantRound BlackBox Construction of Composable MultiParty Computation Protocol
, 2013
"... We present the first general MPC protocol that satisfies the following: (1) the construction is blackbox, (2) the protocol is universally composable in the plain model, and (3) the number of rounds is constant. The security of our protocol is proven in angelbased UC security under the assumption o ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We present the first general MPC protocol that satisfies the following: (1) the construction is blackbox, (2) the protocol is universally composable in the plain model, and (3) the number of rounds is constant. The security of our protocol is proven in angelbased UC security under the assumption of the existence of oneway functions that are secure against subexponentialtime adversaries and constantround semihonest oblivious transfer protocols that are secure against quasipolynomialtime adversaries. We obtain the MPC protocol by constructing a constantround CCAsecure commitment scheme in a blackbox way under the assumption of the existence of oneway functions that are secure against subexponentialtime adversaries. To justify the use of such a subexponential hardness assumption in obtaining our constantround CCAsecure commitment scheme, we show that if blackbox reductions are used, there does not exist any constantround CCAsecure commitment scheme under any falsifiable polynomialtime hardness assumptions.
Settling the RoundComplexity of NonMalleable Commitments
, 2010
"... We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the strong ..."
Abstract
 Add to MetaCart
(Show Context)
We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the stronger notions of concurrent nonmalleability and robustness. As a corollary, we establish that constantround secure multiparty computation can be based on only enhanced trapdoor permutations; also here, earlier protocols additionally required either collisionresistant hash functions or subexponential oneway functions.