Results 11  20
of
58
Complete characterization of adversaries tolerable in secure multiparty computation
 Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC
, 1997
"... Abstract The classical results in unconditional multiparty computation among a set of n players state that less than n=2 passive or less than n=3 active adversaries can be tolerated; assuming a broadcast channel the threshold for active adversaries is n=2. Strictly generalizing these results we spe ..."
Abstract

Cited by 64 (11 self)
 Add to MetaCart
Abstract The classical results in unconditional multiparty computation among a set of n players state that less than n=2 passive or less than n=3 active adversaries can be tolerated; assuming a broadcast channel the threshold for active adversaries is n=2. Strictly generalizing these results we specify the set of potentially misbehaving players as an arbitrary set of subsets of the player set. We prove the necessary and sufficient conditions for the existence of secure multiparty protocols in terms of the potentially misbehaving player sets. For every function there exists a protocol secure against a set of potential passive collusions if and only if no two of these collusions add up to the full player set. The same condition applies for active adversaries when assuming a broadcast channel. Without broadcast channels, for every function there exists a protocol secure against a set of potential active adverse player sets if and only if no three of these sets add up to the full player set. The complexities of the protocols not using a broadcast channel are polynomial, that of the protocol with broadcast is only slightly higher.
Asynchronous Verifiable Secret Sharing and Proactive Cryptosystems
 in Proc. 9th ACM Conference on Computer and Communications Security (CCS
, 2002
"... Verifiable secret sharing is an important primitive in distributed cryptography. With the growing interest in the deployment of threshold cryptosystems in practice, the traditional assumption of a synchronous network has to be reconsidered and generalized to an asynchronous model. This paper prop ..."
Abstract

Cited by 56 (8 self)
 Add to MetaCart
Verifiable secret sharing is an important primitive in distributed cryptography. With the growing interest in the deployment of threshold cryptosystems in practice, the traditional assumption of a synchronous network has to be reconsidered and generalized to an asynchronous model. This paper proposes the first practical verifiable secret sharing protocol for asynchronous networks. The protocol creates a discrete logarithmbased sharing and uses only a quadratic number of messages in the number of participating servers. It yields the first asynchronous Byzantine agreement protocol in the standard model whose efficiency makes it suitable for use in practice. Proactive cryptosystems are another important application of verifiable secret sharing. The second part of this paper introduces proactive cryptosystems in asynchronous networks and presents an efficient protocol for refreshing the shares of a secret key for discrete logarithmbased sharings.
Maintaining Authenticated Communication in the Presence of Breakins
 Journal of Cryptology
, 1998
"... We study the problem of maintaining authenticated communication over untrusted communication channels, in a scenario where the communicating parties may be occasionally and repeatedly broken into for transient periods of time. Once a party is broken into, its cryptographic keys are exposed and pe ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
We study the problem of maintaining authenticated communication over untrusted communication channels, in a scenario where the communicating parties may be occasionally and repeatedly broken into for transient periods of time. Once a party is broken into, its cryptographic keys are exposed and perhaps modified. Yet, we want parties whose security is thus compromised to regain their ability to communicate in an authenticated way aided by other parties. In this work we present a mathematical model for this highly adversarial setting, exhibiting salient properties and parameters, and then describe a practicallyappealing protocol for the task of maintaining authenticated communication in this model. A key element in our solution is devising proactive distributed signature (PDS) schemes in our model. Although PDS schemes are known in the literature, they are all designed for a model where authenticated communication and broadcast primitives are available. We therefore show how t...
Towards provable security for ad hoc routing protocols
 In Proceedings of the ACM Workshop on Security in Ad Hoc and Sensor Networks (SASN
, 2004
"... We propose a formal framework for the security analysis of ondemand source routing protocols for wireless ad hoc networks. Our approach is based on the wellknown simulation paradigm that has been proposed to prove the security of cryptographic protocols. Our main contribution is the application of ..."
Abstract

Cited by 35 (5 self)
 Add to MetaCart
We propose a formal framework for the security analysis of ondemand source routing protocols for wireless ad hoc networks. Our approach is based on the wellknown simulation paradigm that has been proposed to prove the security of cryptographic protocols. Our main contribution is the application of the simulationbased approach in the context of ad hoc routing. This involves a precise definition of a realworld model, which describes the real operation of the protocol, and an idealworld model, which captures what the protocol wants to achieve in terms of security. Both models take into account the peculiarities of wireless communications and ad hoc routing. Then, we give a formal definition of routing security in terms of indistinguishability of the two models from the point of view of honest parties. We demonstrate the usefulness of our approach by analyzing two “secure ” ad hoc routing protocols, SRP and Ariadne. This analysis leads to the discovery of as yet unknown attacks against both protocols. Finally, we propose a new ad hoc routing protocol and prove it to be secure in our model.
Incoercible Multiparty Computation
 Proc. 37th IEEE Symp. on Foundations of Computer Science
, 1996
"... Current secure multiparty protocols have the following deficiency. The public transcript of the communication can be used as an involuntary commitment of the parties to their inputs and outputs. Thus parties can be later coerced by some authority to reveal their private data. Previous work that has ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
Current secure multiparty protocols have the following deficiency. The public transcript of the communication can be used as an involuntary commitment of the parties to their inputs and outputs. Thus parties can be later coerced by some authority to reveal their private data. Previous work that has pointed this interesting problem out contained only partial treatment. In this work we present the first general treatment of the coercion problem in secure computation. First we present a general definition of protocols that provide resilience to coercion. Our definition constitutes a natural extension of the general paradigm used for defining secure multiparty protocols. Next we show that if trapdoor permutations exist then any function can be incoercibly computed (i.e., computed by a protocol that provides resilience to coercion) in the presence of computationally bounded adversaries and only public communication channels. This ...
Signature Schemes and Applications to Cryptographic Protocol Design
, 2002
"... Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature sch ..."
Abstract

Cited by 32 (8 self)
 Add to MetaCart
Signature schemes are fundamental cryptographic primitives, useful as a standalone application, and as a building block in the design of secure protocols and other cryptographic objects. In this thesis, we study both the uses that signature schemes find in protocols, and the design of signature schemes suitable for a broad range of applications. An important
Provably secure ubiquitous systems: Universally composable RFID authentication protocols
 In Proceedings of the 2nd IEEE/CreateNet International Conference on Security and Privacy in Communication Networks (SECURECOMM
, 2006
"... This paper examines two unlinkably anonymous, simple RFID identification protocols that require only the ability to evaluate hash functions and generate random values, and that are provably secure against Byzantine adversaries. The main contribution is a universally composable security model tuned f ..."
Abstract

Cited by 25 (14 self)
 Add to MetaCart
This paper examines two unlinkably anonymous, simple RFID identification protocols that require only the ability to evaluate hash functions and generate random values, and that are provably secure against Byzantine adversaries. The main contribution is a universally composable security model tuned for RFID applications. By making specific setup, communication, and concurrency assumptions that are realistic in the RFID application setting, we arrive at a model that guarantees strong security and availability properties, while still permitting the design of practical RFID protocols. We show that two protocols are provably secure within the new security model. Our proofs do not employ random oracles—the protocols are shown to be secure in the standard model under the assumption of existence of pseudorandom function families. I.
Robustness for free in unconditional multiparty computation
 CRYPTO
, 2001
"... Abstract. We present a very efficient multiparty computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multiplica ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
Abstract. We present a very efficient multiparty computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multiplication gates over a finite field is O(mn 2) field elements, including the communication required for simulating broadcast, but excluding some overhead costs (independent of m) for sharing the inputs and reconstructing the outputs. This corresponds to the complexity of the best known protocols for the passive model, where the corrupted players are guaranteed not to deviate from the protocol. The complexity of our protocol may well be optimal. The constant overhead factor for robustness is small and the protocol is practical. 1
The Foundations of Modern Cryptography
, 1998
"... In our opinion, the Foundations of Cryptography are the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. In this essay, we survey some of these paradigms, approaches and techniques as well as some of the fundamental result ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
In our opinion, the Foundations of Cryptography are the paradigms, approaches and techniques used to conceptualize, define and provide solutions to natural cryptographic problems. In this essay, we survey some of these paradigms, approaches and techniques as well as some of the fundamental results obtained using them. Special effort is made in attempt to dissolve common misconceptions regarding these paradigms and results. c flCopyright 1998 by Oded Goldreich. Permission to make copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted. A preliminary version of this essay has appeared in the proceedings of Crypto97 (Springer's Lecture Notes in Computer Science, Vol. 1294). 0 Contents 1 Introduction 2 I Basic Tools 6 2 Central Paradigms 6 2.1 Computati...
An identity escrow scheme with appointed verifiers
 Advances in Cryptology  Crypto 2001, LNCS 2139
, 2001
"... Abstract. An identity escrow scheme allows a member of a group to prove membership in this group without revealing any extra information. At the same time, in case of abuse, his identity can still be discovered. Such a scheme allows anonymous access control. In this paper, we put forward the notion ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
Abstract. An identity escrow scheme allows a member of a group to prove membership in this group without revealing any extra information. At the same time, in case of abuse, his identity can still be discovered. Such a scheme allows anonymous access control. In this paper, we put forward the notion of an identity escrow scheme with appointed verifiers. Such a scheme allows the user to only convince an appointed verifier (or several appointed verifiers) of his membership; but no unauthorized verifier can verify a user’s group membership even if the user fully cooperates, unless the user is completely under his control. We provide a formal definition of this new notion and give an efficient construction of an identity escrow scheme with appointed verifiers provably secure under common numbertheoretic assumptions in the publickey model.