Results 1  10
of
12
Deniable Encryption with Negligible Detection Probability: An Interactive Construction
, 2011
"... Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not gi ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not given the real message. To date, constructions are only known either for weakened variants with separate “honest” and “dishonest ” encryption algorithms, or for singlealgorithm schemes with nonnegligible detection probability. We propose the first senderdeniable public key encryption system with a single encryption algorithm and negligible detection probability. We describe a generic interactive construction based on a public key bit encryption scheme that has certain properties, and we give two examples of encryption schemes with these properties, one based on the quadratic residuosity assumption and the other on trapdoor permutations.
Bideniable publickey encryption
 In CRYPTO
, 2011
"... In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Den ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Deniability is a powerful notion for both practice and theory: apart from its inherent utility for resisting coercion, a deniable scheme is also noncommitting (a useful property in constructing adaptively secure protocols) and secure under selectiveopening attacks on whichever parties can equivocate. To date, however, known constructions have achieved only limited forms of deniability, requiring at least one party to withhold its randomness, and in some cases using an interactive protocol or external parties. In this work we construct bideniable publickey cryptosystems, in which both the sender and receiver can simultaneously equivocate; we stress that the schemes are noninteractive and involve no third parties. One of our systems is based generically on “simulatable encryption ” as defined by Damg˚ard and Nielsen (CRYPTO 2000), while the other is latticebased and builds upon the results of Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that may be of independent interest. Both schemes work in the socalled “multidistributional ” model, in which the parties run alternative keygeneration and encryption algorithms for equivocable communication, but claim under coercion to have run the prescribed algorithms. Although multidistributional deniability has not attracted much attention, we argue that it is meaningful and useful because it provides credible coercion resistance in certain settings, and suffices for all of the related properties mentioned above. Keywords. Deniable encryption, noncommitting encryption, simulatable encryption, lattice cryptography.
Program Obfuscation with Leaky Hardware ∗
, 2011
"... We consider general program obfuscation mechanisms using “somewhat trusted ” hardware devices, with the goal of minimizing the usage of the hardware, its complexity, and the required trust. Specifically, our solution has the following properties: (i) The obfuscation remains secure even if all the ha ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We consider general program obfuscation mechanisms using “somewhat trusted ” hardware devices, with the goal of minimizing the usage of the hardware, its complexity, and the required trust. Specifically, our solution has the following properties: (i) The obfuscation remains secure even if all the hardware devices in use are leaky. That is, the adversary can obtain the result of evaluating any function on the local state of the device, as long as this function has short output. In addition the adversary also controls the communication between the devices. (ii) The number of hardware devices used in an obfuscation and the amount of work they perform are polynomial in the security parameter independently of the obfuscated function’s complexity. (iii) A (universal) set of hardware components, owned by the user, is initialized only once and from that point on can be used with multiple “softwarebased ” obfuscations sent by different vendors.
Securing Circuits Against ConstantRate Tampering
"... Abstract. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are tampered with. Following the seminal work of Ishai et al. (Eurocrypt 2006), we consider adversaries who may choose an arbitrary set of wires to corrupt, and may set eac ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are tampered with. Following the seminal work of Ishai et al. (Eurocrypt 2006), we consider adversaries who may choose an arbitrary set of wires to corrupt, and may set each such wire to 0 or to 1, or may toggle with the wire. We prove that such adversaries, who continuously tamper with the circuit, can learn at most logarithmically many bits of secret information (in addition to blackbox access to the circuit). Our results are information theoretic. Key words: sidechannel attacks, tampering, circuit compiler, PCP of proximity
BlackBox, RoundEfficient Secure Computation via NonMalleability Amplification
"... We present roundefficient protocols for secure multiparty computation with a dishonest majority that rely on blackbox access to the underlying primitives. Our main contributions are: a O(log ∗ n)round protocol that relies on blackbox access to dense cryptosystems, homomorphic encryption schemes ..."
Abstract
 Add to MetaCart
(Show Context)
We present roundefficient protocols for secure multiparty computation with a dishonest majority that rely on blackbox access to the underlying primitives. Our main contributions are: a O(log ∗ n)round protocol that relies on blackbox access to dense cryptosystems, homomorphic encryption schemes, or lossy encryption schemes. This improves upon the recent O(1) log ∗ nround protocol of Lin, Pass and Venkitasubramaniam (STOC 2009) that relies on nonblackbox access to a smaller class of primitives. a O(1)round protocol requiring in addition, blackbox access to a oneway function with subexponential hardness, improving upon the recent work of Pass and Wee (Eurocrypt 2010). These are the first blackbox constructions for secure computation with sublinear round complexity. Our constructions build on and improve upon the work of Lin and Pass (STOC 2009) on nonmalleability amplification, as well as that of Ishai et al. (STOC 2006) on blackbox secure computation. In addition to the results on secure computation, we also obtain a simple construction of a O(log ∗ n)round nonmalleable commitment scheme based on oneway functions, improving upon the recent O(1) log ∗ nround protocol of Lin and Pass (STOC 2009). Our construction uses a novel transformation for handling arbitrary maninthemiddle scheduling strategies which improves upon a previous construction of Barak (FOCS 2002). Keywords secure multiparty computation, round complexity, blackbox constructions, nonmalleable commitments. 1.
Lower and Upper Bounds for Deniable PublicKey Encryption
"... Abstract. A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allow ..."
Abstract
 Add to MetaCart
Abstract. A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allowing the parties to change their internal state to make it look like a given ciphertext decrypts to a message di erent from what it really decrypts to. Deniable encryption was in this way introduced to allow to deny a message exchange and hence combat coercion. Depending on which parties can be coerced, the security level, the avor and the number of rounds of the cryptosystem, it is possible to de ne a number of notions of deniable encryption. In this paper we prove that there does not exist any noninteractive receiverdeniable cryptosystem with better than polynomial security. This also shows that it is impossible to construct a noninteractive bideniable publickey encryption scheme with better than polynomial security. Speci cally, we give an explicit bound relating the security of the scheme to how e cient the scheme is in terms of key size. Our impossibility result establishes a lower bound on the security. As a nal contribution we give constructions of deniable publickey encryption schemes which establishes upper bounds on the security in terms of key length. There is a gap between our lower and upper bounds, which leaves the interesting open problem of nding the tight bounds. 1
OneSided Adaptively Secure TwoParty Computation
"... Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures scenarios in which the attacker chooses which party to corrupt based on the protocol communication. It further captures realworld scenarios ..."
Abstract
 Add to MetaCart
Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures scenarios in which the attacker chooses which party to corrupt based on the protocol communication. It further captures realworld scenarios where “hackers ” actively break into computers, possibly while they are executing secure protocols. Studying this setting is interesting from both theoretical and practical points of view. The former is because the theoretical understanding of this setting is not yet profound and important questions are still unresolved; a notable example is the question regarding the feasibility of constant round adaptively secure protocols. From practical viewpoint, generic adaptively secure protocols are far more complicated and less efficient than static protocols. A primary building block in designing adaptively secure protocols is a noncommitting encryption or NCE that implements secure communication channels in the presence of adaptive corruptions. Current NCE constructions require a number of public key operations that grows linearly with the length of the message. Furthermore, general twoparty protocols require a number of NCE calls that is linear in the circuit size (or otherwise the protocol is not round efficient). As a result the number of public key
Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption
"... Fully homomorphic encryption (FHE) is a form of publickey encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications. Adaptive s ..."
Abstract
 Add to MetaCart
Fully homomorphic encryption (FHE) is a form of publickey encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications. Adaptive security for publickey encryption schemes is an important security notion that was proposed by Canetti et al. over 15 years ago. It is intended to ensure security when encryption is used within an interactive protocol, and parties may be adaptively corrupted by an adversary during the course of the protocol execution. Due to the extensive applications of FHE to protocol design, it is natural to understand whether adaptively secure FHE is achievable. In this paper we show two contrasting results in this direction. First, we show that adaptive security is impossible for FHE satisfying the (standard) compactness requirement. On the other hand, we show a construction of adaptively secure FHE that is not compact, but which does achieve circuit privacy.
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
"... We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E ..."
Abstract
 Add to MetaCart
We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E.g., under the DLIN or SXDH assumptions we achieve roundoptimal protocols with static security, or 3round protocols with adaptive security (assuming erasure). • Our resulting protocols are more efficient than any known previously, and in particular yield protocols for string OT using O(1) exponentiations and communicating O(1) group elements. Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length depends on the number of parties in the network and achieves only static security. Compared to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and efficiency.
On the Impossibility of SenderDeniable Public Key Encryption
"... Abstract. The primitive of deniable encryption was first introduced by Canetti et al. (CRYPTO, 1997). Deniable encryption is a regular public key encryption scheme with the added feature that after running the protocol honestly and transmitting a message m, both Sender and Receiver may produce rando ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The primitive of deniable encryption was first introduced by Canetti et al. (CRYPTO, 1997). Deniable encryption is a regular public key encryption scheme with the added feature that after running the protocol honestly and transmitting a message m, both Sender and Receiver may produce random coins showing that the transmitted ciphertext was an encryption of any message m ′ in the message space. Deniable encryption is a key tool for constructing incoercible protocols, since it allows a party to send one message and later provide apparent evidence to a coercer that a different message was sent. In addition, deniable encryption may be used to obtain adaptivelysecure multiparty computation (MPC) protocols and is secure under selectiveopening attacks. Different flavors such as senderdeniable and receiverdeniable encryption, where only the Sender or Receiver can produce fake random coins, have been considered. Recently, several open questions regarding the feasibility of deniable encryption have been resolved (c.f. (O’Neill et al., CRYPTO, 2011), (Bendlin et al., ASIACRYPT, 2011)). A fundamental remaining open question is whether it is possible to construct senderdeniable Encryption Schemes with superpolynomial security, where an adversary has negligible advantage in distinguishing real and fake openings. The primitive of simulatable public key encryption (PKE), introduced by Damg˚ard and Nielsen (CRYPTO, 2000), is a public key encryption scheme with additional properties that allow oblivious sampling of public keys and