Results 1  10
of
17
Bideniable publickey encryption
 In CRYPTO
, 2011
"... In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Den ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Deniability is a powerful notion for both practice and theory: apart from its inherent utility for resisting coercion, a deniable scheme is also noncommitting (a useful property in constructing adaptively secure protocols) and secure under selectiveopening attacks on whichever parties can equivocate. To date, however, known constructions have achieved only limited forms of deniability, requiring at least one party to withhold its randomness, and in some cases using an interactive protocol or external parties. In this work we construct bideniable publickey cryptosystems, in which both the sender and receiver can simultaneously equivocate; we stress that the schemes are noninteractive and involve no third parties. One of our systems is based generically on “simulatable encryption ” as defined by Damg˚ard and Nielsen (CRYPTO 2000), while the other is latticebased and builds upon the results of Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that may be of independent interest. Both schemes work in the socalled “multidistributional ” model, in which the parties run alternative keygeneration and encryption algorithms for equivocable communication, but claim under coercion to have run the prescribed algorithms. Although multidistributional deniability has not attracted much attention, we argue that it is meaningful and useful because it provides credible coercion resistance in certain settings, and suffices for all of the related properties mentioned above. Keywords. Deniable encryption, noncommitting encryption, simulatable encryption, lattice cryptography.
Deniable Encryption with Negligible Detection Probability: An Interactive Construction
, 2011
"... Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not gi ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not given the real message. To date, constructions are only known either for weakened variants with separate “honest” and “dishonest ” encryption algorithms, or for singlealgorithm schemes with nonnegligible detection probability. We propose the first senderdeniable public key encryption system with a single encryption algorithm and negligible detection probability. We describe a generic interactive construction based on a public key bit encryption scheme that has certain properties, and we give two examples of encryption schemes with these properties, one based on the quadratic residuosity assumption and the other on trapdoor permutations.
Program Obfuscation with Leaky Hardware ∗
, 2011
"... We consider general program obfuscation mechanisms using “somewhat trusted ” hardware devices, with the goal of minimizing the usage of the hardware, its complexity, and the required trust. Specifically, our solution has the following properties: (i) The obfuscation remains secure even if all the ha ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
We consider general program obfuscation mechanisms using “somewhat trusted ” hardware devices, with the goal of minimizing the usage of the hardware, its complexity, and the required trust. Specifically, our solution has the following properties: (i) The obfuscation remains secure even if all the hardware devices in use are leaky. That is, the adversary can obtain the result of evaluating any function on the local state of the device, as long as this function has short output. In addition the adversary also controls the communication between the devices. (ii) The number of hardware devices used in an obfuscation and the amount of work they perform are polynomial in the security parameter independently of the obfuscated function’s complexity. (iii) A (universal) set of hardware components, owned by the user, is initialized only once and from that point on can be used with multiple “softwarebased ” obfuscations sent by different vendors.
Adaptively secure, universally composable, multiparty computation in constant rounds
, 2014
"... Cryptographic protocols with adaptive security ensure that security holds against an adversary who can dynamically determine which parties to corrupt as the protocol progresses—or even after the protocol is finished. In the setting where all parties may potentially be corrupted, and secure erasure ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Cryptographic protocols with adaptive security ensure that security holds against an adversary who can dynamically determine which parties to corrupt as the protocol progresses—or even after the protocol is finished. In the setting where all parties may potentially be corrupted, and secure erasure is not assumed, it has been a longstanding open question to design securecomputation protocols with adaptive security running in constant rounds. Here, we show a constantround, universally composable protocol for computing any functionality, tolerating a malicious, adaptive adversary corrupting any number of parties. Interestingly, our protocol can compute all functionalities, not just adaptively wellformed ones.
Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption
"... Fully homomorphic encryption (FHE) is a form of publickey encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications. Adaptive s ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Fully homomorphic encryption (FHE) is a form of publickey encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications. Adaptive security for publickey encryption schemes is an important security notion that was proposed by Canetti et al. over 15 years ago. It is intended to ensure security when encryption is used within an interactive protocol, and parties may be adaptively corrupted by an adversary during the course of the protocol execution. Due to the extensive applications of FHE to protocol design, it is natural to understand whether adaptively secure FHE is achievable. In this paper we show two contrasting results in this direction. First, we show that adaptive security is impossible for FHE satisfying the (standard) compactness requirement. On the other hand, we show a construction of adaptively secure FHE that is not compact, but which does achieve circuit privacy.
Secure Computation Against Adaptive Auxiliary Information
"... Abstract. We study the problem of secure twoparty and multiparty computation (MPC) in a setting where a cheating polynomialtime adversary can corrupt an arbitrary subset of parties and, in addition, learn arbitrary auxiliary information on the entire states of all honest parties (including their ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We study the problem of secure twoparty and multiparty computation (MPC) in a setting where a cheating polynomialtime adversary can corrupt an arbitrary subset of parties and, in addition, learn arbitrary auxiliary information on the entire states of all honest parties (including their inputs and random coins), in an adaptive manner, throughout the protocol execution. We formalize a definition of multiparty computation secure against adaptive auxiliary information (AAIMPC), that intuitively guarantees that such an adversary learns no more than the function output and the adaptive auxiliary information. In particular, if the auxiliary information contains only partial, “noisy, ” or computationally invertible information on secret inputs, then only such information should be revealed. We construct a universally composable AAI twoparty and multiparty computation protocol that realizes any (efficiently computable) functionality against malicious adversaries in the common reference string model, based on the linear assumption over bilinear groups and the nth residuosity assumption. Apart from theoretical interest, our result has interesting applications to the regime of leakageresilient cryptography. At the heart of our construction is a new tworound oblivious transfer protocol secure against malicious adversaries who may receive adaptive auxiliary information. This may be of independent interest. 1
Securing Circuits Against ConstantRate Tampering
"... Abstract. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are tampered with. Following the seminal work of Ishai et al. (Eurocrypt 2006), we consider adversaries who may choose an arbitrary set of wires to corrupt, and may set eac ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are tampered with. Following the seminal work of Ishai et al. (Eurocrypt 2006), we consider adversaries who may choose an arbitrary set of wires to corrupt, and may set each such wire to 0 or to 1, or may toggle with the wire. We prove that such adversaries, who continuously tamper with the circuit, can learn at most logarithmically many bits of secret information (in addition to blackbox access to the circuit). Our results are information theoretic. Key words: sidechannel attacks, tampering, circuit compiler, PCP of proximity
Lower and Upper Bounds for Deniable PublicKey Encryption
"... Abstract. A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allow ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allowing the parties to change their internal state to make it look like a given ciphertext decrypts to a message di erent from what it really decrypts to. Deniable encryption was in this way introduced to allow to deny a message exchange and hence combat coercion. Depending on which parties can be coerced, the security level, the avor and the number of rounds of the cryptosystem, it is possible to de ne a number of notions of deniable encryption. In this paper we prove that there does not exist any noninteractive receiverdeniable cryptosystem with better than polynomial security. This also shows that it is impossible to construct a noninteractive bideniable publickey encryption scheme with better than polynomial security. Speci cally, we give an explicit bound relating the security of the scheme to how e cient the scheme is in terms of key size. Our impossibility result establishes a lower bound on the security. As a nal contribution we give constructions of deniable publickey encryption schemes which establishes upper bounds on the security in terms of key length. There is a gap between our lower and upper bounds, which leaves the interesting open problem of nding the tight bounds. 1
BlackBox, RoundEfficient Secure Computation via NonMalleability Amplification
"... We present roundefficient protocols for secure multiparty computation with a dishonest majority that rely on blackbox access to the underlying primitives. Our main contributions are: a O(log ∗ n)round protocol that relies on blackbox access to dense cryptosystems, homomorphic encryption schemes ..."
Abstract
 Add to MetaCart
(Show Context)
We present roundefficient protocols for secure multiparty computation with a dishonest majority that rely on blackbox access to the underlying primitives. Our main contributions are: a O(log ∗ n)round protocol that relies on blackbox access to dense cryptosystems, homomorphic encryption schemes, or lossy encryption schemes. This improves upon the recent O(1) log ∗ nround protocol of Lin, Pass and Venkitasubramaniam (STOC 2009) that relies on nonblackbox access to a smaller class of primitives. a O(1)round protocol requiring in addition, blackbox access to a oneway function with subexponential hardness, improving upon the recent work of Pass and Wee (Eurocrypt 2010). These are the first blackbox constructions for secure computation with sublinear round complexity. Our constructions build on and improve upon the work of Lin and Pass (STOC 2009) on nonmalleability amplification, as well as that of Ishai et al. (STOC 2006) on blackbox secure computation. In addition to the results on secure computation, we also obtain a simple construction of a O(log ∗ n)round nonmalleable commitment scheme based on oneway functions, improving upon the recent O(1) log ∗ nround protocol of Lin and Pass (STOC 2009). Our construction uses a novel transformation for handling arbitrary maninthemiddle scheduling strategies which improves upon a previous construction of Barak (FOCS 2002). Keywords secure multiparty computation, round complexity, blackbox constructions, nonmalleable commitments. 1.
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
"... We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E ..."
Abstract
 Add to MetaCart
We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E.g., under the DLIN or SXDH assumptions we achieve roundoptimal protocols with static security, or 3round protocols with adaptive security (assuming erasure). • Our resulting protocols are more efficient than any known previously, and in particular yield protocols for string OT using O(1) exponentiations and communicating O(1) group elements. Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length depends on the number of parties in the network and achieves only static security. Compared to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and efficiency.