Results 1  10
of
10
Deniable Encryption with Negligible Detection Probability: An Interactive Construction
, 2011
"... Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not gi ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not given the real message. To date, constructions are only known either for weakened variants with separate “honest” and “dishonest ” encryption algorithms, or for singlealgorithm schemes with nonnegligible detection probability. We propose the first senderdeniable public key encryption system with a single encryption algorithm and negligible detection probability. We describe a generic interactive construction based on a public key bit encryption scheme that has certain properties, and we give two examples of encryption schemes with these properties, one based on the quadratic residuosity assumption and the other on trapdoor permutations.
Bideniable publickey encryption
 In CRYPTO
, 2011
"... In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Den ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Deniability is a powerful notion for both practice and theory: apart from its inherent utility for resisting coercion, a deniable scheme is also noncommitting (a useful property in constructing adaptively secure protocols) and secure under selectiveopening attacks on whichever parties can equivocate. To date, however, known constructions have achieved only limited forms of deniability, requiring at least one party to withhold its randomness, and in some cases using an interactive protocol or external parties. In this work we construct bideniable publickey cryptosystems, in which both the sender and receiver can simultaneously equivocate; we stress that the schemes are noninteractive and involve no third parties. One of our systems is based generically on “simulatable encryption ” as defined by Damg˚ard and Nielsen (CRYPTO 2000), while the other is latticebased and builds upon the results of Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that may be of independent interest. Both schemes work in the socalled “multidistributional ” model, in which the parties run alternative keygeneration and encryption algorithms for equivocable communication, but claim under coercion to have run the prescribed algorithms. Although multidistributional deniability has not attracted much attention, we argue that it is meaningful and useful because it provides credible coercion resistance in certain settings, and suffices for all of the related properties mentioned above. Keywords. Deniable encryption, noncommitting encryption, simulatable encryption, lattice cryptography.
Securing Circuits Against ConstantRate Tampering
"... Abstract. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are tampered with. Following the seminal work of Ishai et al. (Eurocrypt 2006), we consider adversaries who may choose an arbitrary set of wires to corrupt, and may set eac ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We present a compiler that converts any circuit into one that remains secure even if a constant fraction of its wires are tampered with. Following the seminal work of Ishai et al. (Eurocrypt 2006), we consider adversaries who may choose an arbitrary set of wires to corrupt, and may set each such wire to 0 or to 1, or may toggle with the wire. We prove that such adversaries, who continuously tamper with the circuit, can learn at most logarithmically many bits of secret information (in addition to blackbox access to the circuit). Our results are information theoretic. Key words: sidechannel attacks, tampering, circuit compiler, PCP of proximity
BlackBox, RoundEfficient Secure Computation via NonMalleability Amplification
"... We present roundefficient protocols for secure multiparty computation with a dishonest majority that rely on blackbox access to the underlying primitives. Our main contributions are: a O(log ∗ n)round protocol that relies on blackbox access to dense cryptosystems, homomorphic encryption schemes ..."
Abstract
 Add to MetaCart
We present roundefficient protocols for secure multiparty computation with a dishonest majority that rely on blackbox access to the underlying primitives. Our main contributions are: a O(log ∗ n)round protocol that relies on blackbox access to dense cryptosystems, homomorphic encryption schemes, or lossy encryption schemes. This improves upon the recent O(1) log ∗ nround protocol of Lin, Pass and Venkitasubramaniam (STOC 2009) that relies on nonblackbox access to a smaller class of primitives. a O(1)round protocol requiring in addition, blackbox access to a oneway function with subexponential hardness, improving upon the recent work of Pass and Wee (Eurocrypt 2010). These are the first blackbox constructions for secure computation with sublinear round complexity. Our constructions build on and improve upon the work of Lin and Pass (STOC 2009) on nonmalleability amplification, as well as that of Ishai et al. (STOC 2006) on blackbox secure computation. In addition to the results on secure computation, we also obtain a simple construction of a O(log ∗ n)round nonmalleable commitment scheme based on oneway functions, improving upon the recent O(1) log ∗ nround protocol of Lin and Pass (STOC 2009). Our construction uses a novel transformation for handling arbitrary maninthemiddle scheduling strategies which improves upon a previous construction of Barak (FOCS 2002). Keywords secure multiparty computation, round complexity, blackbox constructions, nonmalleable commitments. 1.
Adaptively Secure MultiParty Computation with Dishonest Majority
"... Abstract. Adaptively secure multiparty computation is an essential and fundamental notion in cryptography. In this work we focus on the basic question of constructing a multiparty computation protocol secure against a malicious, adaptive adversary in the standalone setting without assuming an hones ..."
Abstract
 Add to MetaCart
Abstract. Adaptively secure multiparty computation is an essential and fundamental notion in cryptography. In this work we focus on the basic question of constructing a multiparty computation protocol secure against a malicious, adaptive adversary in the standalone setting without assuming an honest majority, in the plain model. It has been believed that this question can be resolved by composing known protocols from the literature. We show that in fact, this belief is fundamentally mistaken. In particular, we show: Round inefficiency is unavoidable when using blackbox simulation: There does not exist) round protocol that adaptively securely realizes a (natural) nparty functionality with a blackbox simulator. Note that most previously known protocols in the adaptive security setting relied on blackbox simulators. A constant round protocol using nonblackbox simulation: We construct a constant round adaptively secure multiparty computation protocol in a setting without honest majority that makes crucial use of nonblack box techniques. Taken together, these results give the first resolution to the question of adaptively secure multiparty computation protocols with a malicious dishonest majority in the plain model, open since the first formal treatment of adaptive security for multiparty computation in 1996. any o ( n log n
Feasibility and Infeasibility of Adaptively Secure Fully Homomorphic Encryption
"... Fully homomorphic encryption (FHE) is a form of publickey encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications. Adaptive s ..."
Abstract
 Add to MetaCart
Fully homomorphic encryption (FHE) is a form of publickey encryption that enables arbitrary computation over encrypted data. The past few years have seen several realizations of FHE under different assumptions, and FHE has been used as a building block in many cryptographic applications. Adaptive security for publickey encryption schemes is an important security notion that was proposed by Canetti et al. over 15 years ago. It is intended to ensure security when encryption is used within an interactive protocol, and parties may be adaptively corrupted by an adversary during the course of the protocol execution. Due to the extensive applications of FHE to protocol design, it is natural to understand whether adaptively secure FHE is achievable. In this paper we show two contrasting results in this direction. First, we show that adaptive security is impossible for FHE satisfying the (standard) compactness requirement. On the other hand, we show a construction of adaptively secure FHE that is not compact, but which does achieve circuit privacy.
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
"... We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E ..."
Abstract
 Add to MetaCart
We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E.g., under the DLIN or SXDH assumptions we achieve roundoptimal protocols with static security, or 3round protocols with adaptive security (assuming erasure). • Our resulting protocols are more efficient than any known previously, and in particular yield protocols for string OT using O(1) exponentiations and communicating O(1) group elements. Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length depends on the number of parties in the network and achieves only static security. Compared to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and efficiency.
On the Impossibility of SenderDeniable Public Key Encryption
"... Abstract. The primitive of deniable encryption was first introduced by Canetti et al. (CRYPTO, 1997). Deniable encryption is a regular public key encryption scheme with the added feature that after running the protocol honestly and transmitting a message m, both Sender and Receiver may produce rando ..."
Abstract
 Add to MetaCart
Abstract. The primitive of deniable encryption was first introduced by Canetti et al. (CRYPTO, 1997). Deniable encryption is a regular public key encryption scheme with the added feature that after running the protocol honestly and transmitting a message m, both Sender and Receiver may produce random coins showing that the transmitted ciphertext was an encryption of any message m ′ in the message space. Deniable encryption is a key tool for constructing incoercible protocols, since it allows a party to send one message and later provide apparent evidence to a coercer that a different message was sent. In addition, deniable encryption may be used to obtain adaptivelysecure multiparty computation (MPC) protocols and is secure under selectiveopening attacks. Different flavors such as senderdeniable and receiverdeniable encryption, where only the Sender or Receiver can produce fake random coins, have been considered. Recently, several open questions regarding the feasibility of deniable encryption have been resolved (c.f. (O’Neill et al., CRYPTO, 2011), (Bendlin et al., ASIACRYPT, 2011)). A fundamental remaining open question is whether it is possible to construct senderdeniable Encryption Schemes with superpolynomial security, where an adversary has negligible advantage in distinguishing real and fake openings. The primitive of simulatable public key encryption (PKE), introduced by Damg˚ard and Nielsen (CRYPTO, 2000), is a public key encryption scheme with additional properties that allow oblivious sampling of public keys and
Program Obfuscation with Leaky Hardware ∗
, 2011
"... We consider general program obfuscation mechanisms using “somewhat trusted ” hardware devices, with the goal of minimizing the usage of the hardware, its complexity, and the required trust. Specifically, our solution has the following properties: (i) The obfuscation remains secure even if all the ha ..."
Abstract
 Add to MetaCart
We consider general program obfuscation mechanisms using “somewhat trusted ” hardware devices, with the goal of minimizing the usage of the hardware, its complexity, and the required trust. Specifically, our solution has the following properties: (i) The obfuscation remains secure even if all the hardware devices in use are leaky. That is, the adversary can obtain the result of evaluating any function on the local state of the device, as long as this function has short output. In addition the adversary also controls the communication between the devices. (ii) The number of hardware devices used in an obfuscation and the amount of work they perform are polynomial in the security parameter independently of the obfuscated function’s complexity. (iii) A (universal) set of hardware components, owned by the user, is initialized only once and from that point on can be used with multiple “softwarebased ” obfuscations sent by different vendors.
Lower and Upper Bounds for Deniable PublicKey Encryption
"... Abstract. A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allow ..."
Abstract
 Add to MetaCart
Abstract. A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allowing the parties to change their internal state to make it look like a given ciphertext decrypts to a message di erent from what it really decrypts to. Deniable encryption was in this way introduced to allow to deny a message exchange and hence combat coercion. Depending on which parties can be coerced, the security level, the avor and the number of rounds of the cryptosystem, it is possible to de ne a number of notions of deniable encryption. In this paper we prove that there does not exist any noninteractive receiverdeniable cryptosystem with better than polynomial security. This also shows that it is impossible to construct a noninteractive bideniable publickey encryption scheme with better than polynomial security. Speci cally, we give an explicit bound relating the security of the scheme to how e cient the scheme is in terms of key size. Our impossibility result establishes a lower bound on the security. As a nal contribution we give constructions of deniable publickey encryption schemes which establishes upper bounds on the security in terms of key length. There is a gap between our lower and upper bounds, which leaves the interesting open problem of nding the tight bounds. 1