Results 1  10
of
64
Concurrent ZeroKnowledge
 IN 30TH STOC
, 1999
"... Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two proces ..."
Abstract

Cited by 182 (19 self)
 Add to MetaCart
Concurrent executions of a zeroknowledge protocol by a single prover (with one or more verifiers) may leak information and may not be zeroknowledge in toto. In this paper, we study the problem of maintaining zeroknowledge We introduce the notion of an (; ) timing constraint: for any two processors P1 and P2 , if P1 measures elapsed time on its local clock and P2 measures elapsed time on its local clock, and P2 starts after P1 does, then P2 will finish after P1 does. We show that if the adversary is constrained by an (; ) assumption then there exist fourround almost concurrent zeroknowledge interactive proofs and perfect concurrent zeroknowledge arguments for every language in NP . We also address the more specific problem of Deniable Authentication, for which we propose several particularly efficient solutions. Deniable Authentication is of independent interest, even in the sequential case; our concurrent solutions yield sequential solutions without recourse to timing, i.e., in the standard model.
Rational Secret Sharing and Multiparty Computation (Extended Abstract)
, 2004
"... Joseph Halpern Cornell University Ithaca, NY 14853 halpern@cs.cornell.edu Vanessa Teague Stanford University Stanford, CA 943059025 vteague@cs.stanford.edu ABSTRACT We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (res ..."
Abstract

Cited by 103 (9 self)
 Add to MetaCart
(Show Context)
Joseph Halpern Cornell University Ithaca, NY 14853 halpern@cs.cornell.edu Vanessa Teague Stanford University Stanford, CA 943059025 vteague@cs.stanford.edu ABSTRACT We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (resp., function value) to not getting it, and secondarily, prefer that as few as possible of the other agents get it. We show that, under these assumptions, neither secret sharing nor multiparty function computation is possible using a mechanism that has a fixed running time. However, we show that both are possible using randomized mechanisms with constant expected running time.
A GameBased Verification of NonRepudiation and Fair Exchange Protocols
, 2001
"... . In this paper, we report on a recent work for the verication of nonrepudiation ..."
Abstract

Cited by 68 (3 self)
 Add to MetaCart
(Show Context)
. In this paper, we report on a recent work for the verication of nonrepudiation
Zaps and Their Applications
 In 41st FOCS
, 2000
"... A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every langu ..."
Abstract

Cited by 43 (8 self)
 Add to MetaCart
(Show Context)
A zap is a tworound, witnessindistinguishable protocol in which the first round, consisting of a message from the verifier to the prover, can be fixed "onceandforall" and applied to any instance, and where the verifier does not use any private coins. We present a zap for every language in NP, based on the existence of noninteractive zeroknowledge proofs in the shared random string model. The zap is in the standard model, and hence requires no common guaranteed random string.
Cryptography and game theory: Designing protocols for exchanging information
 In Theory of Cryptography Conference
, 2008
"... The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction a ..."
Abstract

Cited by 37 (1 self)
 Add to MetaCart
(Show Context)
The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction and cannot be considered rational. Previously suggested cryptographic solutions all share the property of having an essential exponential upper bound on their running time, and hence they are also susceptible to backward induction. Although it seems that this bound is an inherent property of every cryptography based solution, we show that this is not the case. We suggest coalitionresilient secret sharing and SMPC protocols with the property that after any sequence of iterations it is still a computational best response to follow them. Therefore, the protocols can be run any number of iterations, and are immune to backward induction. The mean of communication assumed is a broadcast channel, and we consider both the simultaneous and nonsimultaneous cases.
Analysis of probabilistic contract signing
 Journal of Computer Security
, 2003
"... (this research was performed while at SRI International) We present three case studies, investigating the use of probabilistic model checking to automatically analyse properties of probabilistic contract signing protocols. We use the probabilistic model checker PRISM to analyse three protocols: Rabi ..."
Abstract

Cited by 31 (6 self)
 Add to MetaCart
(this research was performed while at SRI International) We present three case studies, investigating the use of probabilistic model checking to automatically analyse properties of probabilistic contract signing protocols. We use the probabilistic model checker PRISM to analyse three protocols: Rabin’s probabilistic protocol for fair commitment exchange; the probabilistic contract signing protocol of BenOr, Goldreich, Micali, and Rivest; and a randomised protocol for signing contracts of Even, Goldreich, and Lempel. These case studies illustrate the general methodology for applying probabilistic model checking to formal verification of probabilistic security protocols. For the BenOr et al. protocol, we demonstrate the difficulty of combining fairness with timeliness. If, as required by timeliness, the judge responds to participants ’ messages immediately upon receiving them, then there exists a strategy for a misbehaving participant that brings the protocol to an unfair state with arbitrarily high probability, unless unusually strong assumptions are made about the quality of the communication channels between the judge and honest participants. We quantify the tradeoffs involved in the attack strategy, and discuss possible modifications of the protocol that ensure both fairness and timeliness. For the Even et al. protocol, we demonstrate that the responder enjoys a distinct advantage. With probability 1, the protocol reaches a state in which the responder possesses the initiator’s commitment, but the initiator does not possess the responder’s commitment. We then analyse several variants of the protocol, exploring the tradeoff between fairness and the number of messages that must be exchanged between participants.
Optimistic Fair Exchange with Transparent Signature Recovery
 IN: 5TH INTERNATIONAL CONFERENCE, FINANCIAL CRYPTOGRAPHY 2001, LECTURE NOTES IN COMPUTER SCIENCE
, 2001
"... We propose a new protocol allowing the exchange of an item against a signature while assuring fairness. The proposed protocol, based on the GiraultPoupardStern signature scheme (a variation of the Schnorr scheme), assumes the existence of a trusted third party that, except in the setup phase, is i ..."
Abstract

Cited by 30 (7 self)
 Add to MetaCart
We propose a new protocol allowing the exchange of an item against a signature while assuring fairness. The proposed protocol, based on the GiraultPoupardStern signature scheme (a variation of the Schnorr scheme), assumes the existence of a trusted third party that, except in the setup phase, is involved in the protocol only when one of the parties does not follow the designated protocol or some technical problem occures during the execution of the protocol. The interesting feature of the protocol is the low communication and computational charges required by the parties. Moreover, in case of problems during the main protocol, the trusted third party can derive the same digital signature as the one transmitted in a faultless case, rather than an adavit or an official certificate.
Complete fairness in secure twoparty computation
 In Proceedings of the 40th Annual ACM Symposium on Theory of Computing
, 2008
"... In the setting of secure twoparty computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness, which guarantees that if ei ..."
Abstract

Cited by 29 (12 self)
 Add to MetaCart
(Show Context)
In the setting of secure twoparty computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness, which guarantees that if either party receives its output, then the other party does too. Cleve (STOC 1986) showed that complete fairness cannot be achieved in general in the twoparty setting; specifically, he showed (essentially) that it is impossible to compute Boolean XOR with complete fairness. Since his work, the accepted folklore has been that nothing nontrivial can be computed with complete fairness, and the question of complete fairness in secure twoparty computation has been treated as closed since the late ’80s. In this paper, we demonstrate that this widely held folklore belief is false by showing completelyfair secure protocols for various nontrivial twoparty functions including Boolean AND/OR as well as Yao’s “millionaires ’ problem”. Surprisingly, we show that it is even possible to construct completelyfair protocols for certain functions containing an “embedded XOR”, although in this case we also prove a lower bound showing that a superlogarithmic number of rounds are necessary. Our results demonstrate that the question of completelyfair secure computation without an honest majority is far from closed.
Lower bounds on implementing robust and resilient mediators
 In Fifth Theory of Cryptography Conference
, 2008
"... We provide new and tight lower bounds on the ability of players to implement equilibria using cheap talk, that is, just allowing communication among the players. One of our main results is that, in general, it is impossible to implement threeplayer Nash equilibria in a bounded number of rounds. We ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
(Show Context)
We provide new and tight lower bounds on the ability of players to implement equilibria using cheap talk, that is, just allowing communication among the players. One of our main results is that, in general, it is impossible to implement threeplayer Nash equilibria in a bounded number of rounds. We also give the first rigorous connection between Byzantine agreement lower bounds and lower bounds on implementation. To this end we consider a number of variants of Byzantine agreement and introduce reduction arguments. We also give lower bounds on the running time of two player implementations. All our results extended to lower bounds on (k, t)robust equilibria, a solution concept that tolerates deviations by coalitions of size up to k and deviations by up to t players with unknown utilities (who may be malicious).
Fairness with an honest minority and a rational majority. Cryptology ePrint Archive, Report 2008/097
, 2008
"... Abstract. We provide a simple protocol for secret reconstruction in any threshold secret sharing scheme, and prove that it is fair when executed with many rational parties together with a small minority of honest parties. That is, all parties will learn the secret with high probability when the hone ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We provide a simple protocol for secret reconstruction in any threshold secret sharing scheme, and prove that it is fair when executed with many rational parties together with a small minority of honest parties. That is, all parties will learn the secret with high probability when the honest parties follow the protocol and the rational parties act in their own selfinterest (as captured by a setNash analogue of trembling hand perfect equilibrium). The protocol only requires a standard (synchronous) broadcast channel, tolerates both early stopping and incorrectly computed messages, and only requires 2 rounds of communication. Previous protocols for this problem in the cryptographic or economic models have either required an honest majority, used strong communication channels that enable simultaneous exchange of information, or settled for approximate notions of security/equilibria. They all also required a nonconstant number of rounds of communication.