Results 1  10
of
10
Nonblackbox simulation from oneway functions and applications to resettable security
 STOC, ACM
, 2013
"... The simulation paradigm, introduced by Goldwasser, Micali and Rackoff, is of fundamental importance to modern cryptography. In a breakthrough work from 2001, Barak (FOCS’01) introduced a novel nonblackbox simulation technique. This technique enabled the construction of new cryptographic primitives ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
The simulation paradigm, introduced by Goldwasser, Micali and Rackoff, is of fundamental importance to modern cryptography. In a breakthrough work from 2001, Barak (FOCS’01) introduced a novel nonblackbox simulation technique. This technique enabled the construction of new cryptographic primitives, such as resettablysound zeroknowledge arguments, that cannot be proven secure using just blackbox simulation techniques. The work of Barak and its followups, however, all require stronger cryptographic hardness assumptions than the minimal assumption of oneway functions: the work of Barak requires the existence of collisionresistant hash functions, and a very recent result by Bitansky and Paneth (FOCS’12) instead requires the existence of an Oblivious Transfer protocol. In this work, we show how to perform nonblackbox simulation assuming just the existence of oneway functions. In particular, we demonstrate the existence of a constantround resettablysound zeroknowledge argument based only on the existence of oneway functions. Using this technique, we determine necessary and sufficient assumptions for several other notions of resettable security of zeroknowledge proofs. An additional benefit of our approach is that it seemingly makes practical implementations of nonblackbox zeroknowledge viable.
CONCURRENT SECURITY
, 2012
"... Traditionally, cryptographic protocols are analyzed in a “standalone” setting, where a single protocol execution takes place in isolation. In the age of the Internet, however, a great number of executions of different protocols coexist and are tightly interconnected. This concurrency severely und ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Traditionally, cryptographic protocols are analyzed in a “standalone” setting, where a single protocol execution takes place in isolation. In the age of the Internet, however, a great number of executions of different protocols coexist and are tightly interconnected. This concurrency severely undermines the foundation of the traditional study of cryptography. Since the early 90’s, it has been an important theme in cryptography to address security in such concurrent setting. However, till recently, no satisfactory solutions were proposed for performing general tasks in a concurrently secure way. In this thesis, we resolve “concurrent security”—we exhibit a construction of cryptographic protocols for general tasks that remain secure even in concurrent settings like the Internet. Different from previous works, our construction does not rely on any trusted infrastructure or strong hardness assumptions. As such, our construction broadens the applicability of cryptography by enabling it in more realistic settings and weakening the preconditions it is based on. Beyond the general feasibility result, we also significantly improve the efficiency
Unprovable Security of Perfect NIZK and Noninteractive Nonmalleable Commitments
, 2012
"... We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statem ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical (and thus also perfect) NIZK for N P based on any “standard ” intractability assumptions. • Blackbox reductions cannot be used to demonstrate nonmalleability of noninteractive, or even 2message, commitment schemes based on any “standard ” intractability assumptions. We emphasize that the above separations apply even if the construction of the considered primitives makes a nonblackbox use of the underlying assumption. As an independent contribution, we suggest a taxonomy of gamebased intractability assumption based on 1) the security threshold, 2) the number of communication rounds in the security game, 3) the computational complexity of the game challenger, 4) the communication complexity of the challenger, and 5) the computational complexity of the security reduction.
Distributed Protocols for Leader Election: a GameTheoretic Perspective
"... We do a gametheoretic analysis of leader election, under the assumption that each agent prefers to have some leader than to have no leader at all. We show that it is possible to obtain a fair Nash equilibrium, where each agent has an equal probability of being elected leader, in a completely connec ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
We do a gametheoretic analysis of leader election, under the assumption that each agent prefers to have some leader than to have no leader at all. We show that it is possible to obtain a fair Nash equilibrium, where each agent has an equal probability of being elected leader, in a completely connected network, in a bidirectional ring, and a unidirectional ring, in the synchronous setting. In the asynchronous setting, Nash equilibrium is not quite the right solution concept. Rather, we must consider ex post Nash equilibrium; this means that we have a Nash equilibrium no matter what a scheduling adversary does. We show that ex post Nash equilibrium is attainable in the asynchronous setting in all the networks we consider, using a protocol with bounded running time. However, in the asynchronous setting, we require that n> 2. We can get a fair ɛNash equilibrium if n = 2 in the asynchronous setting, under some cryptographic assumptions (specifically, the existence of a pseudorandom number generator and polynomiallybounded agents), using ideas from bitcommitment protocols. We then generalize these results to a setting where we can have deviations by a coalition of size k. In this case, we can get what we call a fair kresilient equilibrium if n> 2k; under the same cryptographic assumptions, we can a get a kresilient equilibrium if n = 2k. Finally, we show that, under minimal assumptions, not only do our
4round resettablysound zero knowledge, Theory of Cryptography
 11th Theory of Cryptography Conference, TCC 2014
"... Abstract. While 4round constructions of zeroknowledge arguments are known based on the existence of oneway functions, constuctions of resettablysound zeroknowledge arguments require either stronger assumptions (the existence of a fullyhomomorphic encryption scheme), or more communication roun ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. While 4round constructions of zeroknowledge arguments are known based on the existence of oneway functions, constuctions of resettablysound zeroknowledge arguments require either stronger assumptions (the existence of a fullyhomomorphic encryption scheme), or more communication rounds. We close this gap by demonstrating a 4round resettablysound zeroknowledge argument for NP based on the existence of oneway functions. 1
An Algebraic Approach to NonMalleability
"... In their seminal work on nonmalleable cryptography, Dolev, Dwork and Naor, showed how to construct a nonmalleable commitment with logarithmicallymany "rounds"/"slots", the idea being that any adversary may successfully maul in some slots but would fail in at least one. Since t ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
In their seminal work on nonmalleable cryptography, Dolev, Dwork and Naor, showed how to construct a nonmalleable commitment with logarithmicallymany "rounds"/"slots", the idea being that any adversary may successfully maul in some slots but would fail in at least one. Since then new ideas have been introduced, ultimately resulting in constantround protocols based on any oneway function. Yet, in spite of this remarkable progress, each of the known constructions of nonmalleable commitments leaves something to be desired. In this paper we propose a new technique that allows us to construct a nonmalleable protocol with only a single slot", and to improve in at least one aspect over each of the previously proposed protocols. Two direct byproducts of our new ideas are a four round nonmalleable commitment and a four round nonmalleable zeroknowledge argument, the latter matching the round complexity of the best known zeroknowledge argument (without the nonmalleability requirement). The protocols are based on the existence of oneway functions and admit very efficient instantiations via standard homomorphic commitments and sigma protocols. Our analysis relies on algebraic reasoning, and makes use of error correcting codes in order
NonMalleable Zero Knowledge: BlackBox Constructions and Definitional Relationships
"... This paper deals with efficient nonmalleable zeroknowledge proofs for N P, based on general assumptions. We construct a simulationsound zeroknowledge (ZK) protocol for N P, based only on the blackbox use of oneway functions. Constructing such a proof system has been an open question ever since ..."
Abstract
 Add to MetaCart
This paper deals with efficient nonmalleable zeroknowledge proofs for N P, based on general assumptions. We construct a simulationsound zeroknowledge (ZK) protocol for N P, based only on the blackbox use of oneway functions. Constructing such a proof system has been an open question ever since the original work of Dolev, Dwork, and Naor [DDN91]. In addition to the feasibility result, our protocol has a constant number of rounds, which is asymptotically optimal. Traditionally, the term nonmalleable zeroknowledge (NmZK) refers to the original definition of [DDN91]; but today it is used loosely to also refer to simulationsoundness (SimSound) [Sah99], and simulationextractability (SimExt) [PR05b]. While SimExt implies NmZK, the common perception is that SimExt is strongest of the three notions. A formal study of the definitional relationship between these three notions, however, has never been done. In the second part of this work, we try to correct this situation by initiating such a study. We show that in the “static ” case, if an NmZK protocol is also an argumentofknowledge, then it is in fact SimExt. Furthermore, in the most strict sense of the definition, SimSound does not necessarily follow from SimExt. These results are somewhat surprising because they are opposite to the common perception that SimExt is the strongest of the three notions. 1
Statistical Concurrent Nonmalleable Zeroknowledge from Oneway Functions
, 2015
"... Concurrent nonmalleable zeroknowledge (CNMZK) protocols are zeroknowledge protocols that provides security even when adversaries interacts with multiple provers and verifiers simultaneously. It is known that CNMZK arguments for NP can be constructed in the plain model. Furthermore, it was recent ..."
Abstract
 Add to MetaCart
Concurrent nonmalleable zeroknowledge (CNMZK) protocols are zeroknowledge protocols that provides security even when adversaries interacts with multiple provers and verifiers simultaneously. It is known that CNMZK arguments for NP can be constructed in the plain model. Furthermore, it was recently shown that statistical CNMZK arguments for NP can also be constructed in the plain model. However, although the former requires only the existence of oneway functions, the latter requires the DDH assumption. In this paper, we construct a statistical CNMZK argument forNP assuming only the existence of oneway functions. The security is proven via blackbox simulation, and the round complexity is poly(n). Under the existence of collisionresistant hash functions, the round complexity is reduced to!(log n), which is essentially optimal for blackbox concurrent zeroknowledge protocols.
Two Round Mutliparty Computation via MultiKey FHE
, 2015
"... We construct a general multiparty computation (MPC) protocol with only two rounds of interaction in the common random string model, which is known to be optimal. In the honestbutcurious setting we only rely on the learning with errors (LWE) assumption, and in the fully malicious setting we additio ..."
Abstract
 Add to MetaCart
We construct a general multiparty computation (MPC) protocol with only two rounds of interaction in the common random string model, which is known to be optimal. In the honestbutcurious setting we only rely on the learning with errors (LWE) assumption, and in the fully malicious setting we additionally assume the existence of noninteractive zero knowledge arguments (NIZKs). Previously, Asharov et al. (EUROCRYPT ’12) showed how to achieve three rounds based on LWE and NIZKs, while Garg et al. (TCC ’14) showed how to achieve the optimal two rounds based on indistinguishability obfuscation, but it was unknown if two rounds were possible under standard assumptions without obfuscation. Our approach relies on multikey fully homomorphic encryption (MFHE), introduced by LopezAlt et al. (STOC ’12), which enables homomorphic computation over data encrypted under different keys. We present a construction of MFHE based on LWE that significantly simplifies a recent scheme of Clear and McGoldrick (CRYPTO ’15). We then extend this construction to allow for a oneround distributed decryption of a multikey ciphertext. Our entire MPC protocol consists of the following two rounds:
Textbook NonMalleable Commitments
"... We present a new nonmalleable commitment protocol. Our protocol has the following features: • The protocol has only three rounds of interaction. Pass (TCC 2013) showed an impossibility result for a tworound nonmalleable commitment scheme w.r.t. a blackbox reduction to any “standard" intract ..."
Abstract
 Add to MetaCart
(Show Context)
We present a new nonmalleable commitment protocol. Our protocol has the following features: • The protocol has only three rounds of interaction. Pass (TCC 2013) showed an impossibility result for a tworound nonmalleable commitment scheme w.r.t. a blackbox reduction to any “standard" intractability reduction. Thus, this resolves the round complexity of nonmalleable commitment at least w.r.t. blackbox security reductions. Our construction is secure as per the standard notion of nonmalleability w.r.t. commitment. • Our protocol is truly efficient. In our basic protocol, the entire computation of the committer is dominated by just three invocations of a noninteractive statically binding commitment scheme, while, the receiver computation (in the commitment stage) is limited to just sampling a random string. Unlike many previous works, we directly construct a protocol for large tags and hence avoid any nonmalleability amplification steps. • Our protocol is based on a blackbox use of any noninteractive statistically binding commitment scheme. Such schemes, in turn, can be based on any onetoone oneway function (or any oneway function at the cost of an extra initialization round). Previously, the best known blackbox construction