Results 1  10
of
57
Security and Composition of Multiparty Cryptographic Protocols
 JOURNAL OF CRYPTOLOGY
, 1998
"... We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions f ..."
Abstract

Cited by 389 (18 self)
 Add to MetaCart
We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural `subroutine substitution' operation, formalized by Micali and Rogaway. We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the informationtheoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.
An efficient system for nontransferable anonymous credentials with optional anonymity revocation
, 2001
"... Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical r ..."
Abstract

Cited by 207 (7 self)
 Add to MetaCart
Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional DiffieHellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allornothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
Dynamic accumulators and application to efficient revocation of anonymous credentials
 http://eprint.iacr.org/2001, 2001. Jan Camenisch and Anna Lysyanskaya
"... Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value ..."
Abstract

Cited by 168 (11 self)
 Add to MetaCart
Abstract. We introduce the notion of a dynamic accumulator. Anaccumulator scheme allows one to hash a large set of inputs into one short value, such that there is a short proof that a given input was incorporated into this value. A dynamic accumulator allows one to dynamically add and delete a value, such that the cost of an add or delete is independent of the number of accumulated values. We provide a construction of a dynamic accumulator and an efficient zeroknowledge proof of knowledge of an accumulated value. We prove their security under the strong RSA assumption. We then show that our construction of dynamic accumulators enables efficient revocation of anonymous credentials, and membership revocation for recent group signature and identity escrow schemes.
Direct Anonymous Attestation
, 2004
"... This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the ..."
Abstract

Cited by 140 (18 self)
 Add to MetaCart
This paper describes the direct anonymous attestation scheme (DAA). This scheme was adopted by the Trusted Computing Group as the method for remote authentication of a hardware module, called trusted platform module (TPM), while preserving the privacy of the user of the platform that contains the module. Direct anonymous attestation can be seen as a group signature without the feature that a signature can be opened, i.e., the anonymity is not revocable. Moreover, DAA allows for pseudonyms, i.e., for each signature a user (in agreement with the recipient of the signature) can decide whether or not the signature should be linkable to another signature. DAA furthermore allows for detection of "known" keys: if the DAA secret keys are extracted from a TPM and published, a verifier can detect that a signature was produced using these secret keys. The scheme is provably secure in the random oracle model under the strong RSA and the decisional Di#eHellman assumption.
Separating agreement from execution for byzantine fault tolerant services
 IN PROC. SOSP
, 2003
"... We describe a new architecture for Byzantine fault tolerant state machine replication that separates agreement that orders requests from execution that processes requests. This separation yields two fundamental and practically significant advantages over previous architectures. First, it reduces rep ..."
Abstract

Cited by 131 (19 self)
 Add to MetaCart
We describe a new architecture for Byzantine fault tolerant state machine replication that separates agreement that orders requests from execution that processes requests. This separation yields two fundamental and practically significant advantages over previous architectures. First, it reduces replication costs because the new architecture can tolerate faults in up to half of the state machine replicas that execute requests. Previous systems can tolerate faults in at most a third of the combined agreement/state machine replicas. Second, separating agreement from execution allows a general privacy firewall architecture to protect confidentiality through replication. In contrast, replication in previous systems hurts confidentiality because exploiting the weakest replica can be su#cient to compromise the system. We have constructed a prototype and evaluated it running both microbenchmarks and an NFS server. Overall, we find that the architecture adds modest latencies to unreplicated systems and that its performance is competitive with existing Byzantine fault tolerant systems.
General Secure MultiParty Computation from any Linear SecretSharing Scheme
, 2000
"... Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neith ..."
Abstract

Cited by 122 (20 self)
 Add to MetaCart
Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC. Our approach to secure MPC is generic and applies to both the informationtheoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all). The protocols are efficient. In contrast to all previous informationtheoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for nonthreshold adversaries provably have superpolynomial complexity. 1
Authenticated Group Key Agreement and Friends
, 1998
"... Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper ..."
Abstract

Cited by 85 (6 self)
 Add to MetaCart
Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation and integrity. It begins by considering 2party authenticated key agreement and extends the results to Group DiffieHellman key agreement. In the process, some new security properties (unique to groups) are discussed. 1 Introduction This paper is concerned with security services in the context of dynamic peer groups (DPGs). Such groups are common in many network protocol layers and in many areas of modern computing and the solution to their security needs, in particular key management, are still open research challenges [19]. Exa...
Adaptively Secure Multiparty Computation
, 1996
"... A fundamental problem in designing secure multiparty protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographi ..."
Abstract

Cited by 76 (8 self)
 Add to MetaCart
A fundamental problem in designing secure multiparty protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographic primitives based on the computational limitations of the adversary.
Rational Secret Sharing and Multiparty Computation (Extended Abstract)
, 2004
"... Joseph Halpern Cornell University Ithaca, NY 14853 halpern@cs.cornell.edu Vanessa Teague Stanford University Stanford, CA 943059025 vteague@cs.stanford.edu ABSTRACT We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (res ..."
Abstract

Cited by 74 (9 self)
 Add to MetaCart
Joseph Halpern Cornell University Ithaca, NY 14853 halpern@cs.cornell.edu Vanessa Teague Stanford University Stanford, CA 943059025 vteague@cs.stanford.edu ABSTRACT We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (resp., function value) to not getting it, and secondarily, prefer that as few as possible of the other agents get it. We show that, under these assumptions, neither secret sharing nor multiparty function computation is possible using a mechanism that has a fixed running time. However, we show that both are possible using randomized mechanisms with constant expected running time.
Player simulation and general adversary structures in perfect multiparty computation
, 2000
"... The goal of secure multiparty computation is to transform a given protocol involving a trusted party into a protocol without need for the trusted party, by simulating the party among the players. Indeed, by the same means, one can simulate an arbitrary player in any given protocol. We formally defin ..."
Abstract

Cited by 72 (9 self)
 Add to MetaCart
The goal of secure multiparty computation is to transform a given protocol involving a trusted party into a protocol without need for the trusted party, by simulating the party among the players. Indeed, by the same means, one can simulate an arbitrary player in any given protocol. We formally define what it means to simulate a player by a multiparty protocol among a set of (new) players, and we derive the resilience of the new protocol as a function of the resiliences of the original protocol and the protocol used for the simulation. In contrast to all previous protocols that specify the tolerable adversaries by the number of corruptible players (a threshold), we consider general adversaries characterized by an adversary structure, a set of subsets of the player set, where the adversary may corrupt the players of one set in the structure. Recursively applying the simulation technique to standard threshold multiparty protocols results in protocols secure against general adversaries. The classical results in unconditional multiparty computation among a set of n players state that, in the passive model, any adversary that corrupts less than n=2 players can be tolerated, and in the active model, any adversary that corrupts less than n=3 players can be tolerated. Strictly generalizing