Results 1 
6 of
6
RoundOptimal PasswordBased Authenticated Key Exchange
"... We show a general framework for constructing passwordbased authenticated keyexchange protocols with optimal round complexity — one message per party, sent simultaneously — in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinear ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
We show a general framework for constructing passwordbased authenticated keyexchange protocols with optimal round complexity — one message per party, sent simultaneously — in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinearmapbased cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols in the standard model that are universally composable while still using only one (simultaneous) round. 1 PasswordBased Authenticated Key Exchange Protocols for authenticated key exchange enable two parties to generate a shared, cryptographically strong key while communicating over an insecure network under the complete control of an adversary. Such protocols are among the most widely used and fundamental cryptographic primitives; indeed, agreement on a shared key is necessary before “higherlevel ” tasks such as encryption and message authentication become possible. Parties must share some information in order for authenticated key exchange to be possible. It is well known that shared cryptographic keys — either in the form of public keys or a long,
Nonblackbox simulation in the fully concurrent setting
 In STOC
, 2013
"... We present a new zeroknowledge argument protocol by relying on the nonblackbox simulation technique of Barak (FOCS’01). Similar to the protocol of Barak, ours is publiccoin, is based on the existence of collisionresistant hash functions, and, is not based on “rewinding techniques ” but rather u ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
We present a new zeroknowledge argument protocol by relying on the nonblackbox simulation technique of Barak (FOCS’01). Similar to the protocol of Barak, ours is publiccoin, is based on the existence of collisionresistant hash functions, and, is not based on “rewinding techniques ” but rather uses nonblackbox simulation. However in contrast to the protocol of Barak, our protocol is secure even if there are any unbounded (polynomial) number of concurrent sessions. This gives us the first construction of publiccoin concurrent zeroknowledge. Prior to our work, Pass, Tseng and Wikström (SIAM J. Comp. 2011) had shown that using blackbox simulation, getting a construction for even publiccoin parallel zeroknowledge is impossible. A publiccoin concurrent zeroknowledge protocol directly implies the existence of a concurrent resettablysound zeroknowledge protocol. This is an improvement over the corresponding construction of Deng, Goyal and Sahai (FOCS’09) which was based on stronger assumptions. Furthermore, this also directly leads to an alternative (and arguable cleaner) construction of a simultaneous resettable zeroknowledge argument system. An important feature of our protocol is the existence of a “straightline ” simulator. This gives a fundamentally different tool for constructing concurrently secure computation protocols (for functionalities even beyond zeroknowledge). The round complexity of our protocol is n (for any constant > 0), and, the simulator runs in strict polynomial time. The main technique behind our construction is purely combinatorial in nature. 1
New Impossibility Results for Concurrent Composition and a NonInteractive Completeness Theorem for Secure Computation
"... We consider the clientserver setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easil ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We consider the clientserver setting for the concurrent composition of secure protocols: in this setting, a single server interacts with multiple clients concurrently, executing with each client a specified protocol where only the client should receive any nontrivial output. Such a setting is easily motivated from an application standpoint. There are important special cases for which positive results are known – such as concurrent zero knowledge protocols – and it has been an open question explicitly asked, for instance, by Lindell [J. Cryptology’08] – whether other natural functionalities such as Oblivious Transfer (OT) are possible in this setting. In this work: • We resolve this open question by showing that unfortunately, even in this very limited concurrency setting, broad new impossibility results hold, ruling out not only OT, but in fact all nontrivial asymmetric functionalities. Our new negative results hold even if the inputs of all honest parties are fixed in advance, and the adversary receives no auxiliary information. • Along the way, we establish a new unconditional completeness result for asymmetric functionalities, where we characterize functionalities that are noninteractively complete secure against active adversaries.
Concurrent Secure Computation via NonBlack Box Simulation
"... Abstract. Recently, Goyal (STOC’13) proposed a new nonblack box simulation techniques for fully concurrent zero knowledge with straightline simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achiev ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Recently, Goyal (STOC’13) proposed a new nonblack box simulation techniques for fully concurrent zero knowledge with straightline simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achieved in the setting of concurrent secure computation using nonblack box simulation techniques, building upon the work of Goyal. The main contribution of our work is a secure computation protocol in the fully concurrent setting with a straightline simulator, that allows us to achieve several new results: – We give first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Our positive result is somewhat surprising in light of the impossibility result of Lindell (STOC’03) for blackbox simulation. We circumvent this impossibility using nonblack box simulation. This gives us a quite natural example of a functionality in concurrent
Concurrent Secure Computation with Optimal Query Complexity and Fully Concurrent PAKE With No Setup
"... The multiple ideal query (MIQ) model [Goyal, Jain, and Ostrovsky, Crypto’10] offers a relaxed notion of security for concurrent secure computation, where the simulator is allowed to query the ideal functionality multiple times per session (as opposed to just once in the standard definition). The mod ..."
Abstract
 Add to MetaCart
The multiple ideal query (MIQ) model [Goyal, Jain, and Ostrovsky, Crypto’10] offers a relaxed notion of security for concurrent secure computation, where the simulator is allowed to query the ideal functionality multiple times per session (as opposed to just once in the standard definition). The model provides a quantitative measure for the degradation in security under concurrent selfcomposition. As an immediate application, MIQsecure protocols with low persession query complexity yield concurrent passwordauthenticated key exchange protocols in the model of [Goldreich and Lindell, Crypto 2001]. However, to date, all known MIQsecure protocols guarantee only an overall average bound on the number of queries per session throughout the execution. No worstcase persession bound has been shown. We show the first MIQsecure protocol with worstcase persession guarantee. Specifically, we show a protocol for every PPT functionality f, where the simulator makes only a constant number of ideal queries in every session. The constant depends on the adversary but is independent of the security parameter. The result exactly matches a lower bound of [Goyal and Jain, Eurocrypt’13] who ruled out protocols where the simulator makes only an adversaryindependent constant number of ideal queries per session. An immediate corollary of our main result is the resolution of the long standing open problem of designing a fully concurrent password authenticated key exchange protocol with no setup assumptions. Prior constructions either required a setup assumption, or a random oracle, or an a priori bound on the number of concurrent execution, or worked only for a single password.
PublicCoin Concurrent ZeroKnowledge in Logarithmic Rounds
, 2014
"... We construct O(log 1+ɛ n)round publiccoin concurrent zero knowledge arguments for NP from standard (against any polynomialtime adversary) collisionresistant hash functions for arbitrarily small constant ɛ. Our construction is straightline simulatable. This is the first publiccoin concurrent ..."
Abstract
 Add to MetaCart
(Show Context)
We construct O(log 1+ɛ n)round publiccoin concurrent zero knowledge arguments for NP from standard (against any polynomialtime adversary) collisionresistant hash functions for arbitrarily small constant ɛ. Our construction is straightline simulatable. This is the first publiccoin concurrent zero knowledge protocol based on standard/longstudied assumption that (almost) achieves the best known roundcomplexity of its privatecoin counterpart [Prabhakaran et al., FOCS 02]. Previously, such publiccoin constructions require either polynomial number of rounds [Goyal, STOC 13], newlyintroduced assumptions [Chung et al., FOCS 13], or stronger model [Canetti et al., TCC 13]. This result has strong consequences: it yields the first (almost) logarithmic round simultaneously resettable arguments for NP and the first (almost) logarithmic round concurrent multiparty computation in the single input setting. These results significantly improve over the polynomial roundcomplexity of the best known protocols based on standard assumptions in both cases. Our technical contribution is twofold. First, we introduce a simulation strategy called clearance that yields a simulation tree of very special combinatorial structure and enables us to instantiate Barak’s protocol [Barak, FOCS 01] using the recent BenSasson et al.’s quasilinear construction of PCP system [BenSasson et al., STOC 13] to obtain logarithmic roundcomplexity; secondly, we show how to modify Barak’s protocol such that the soundness of overall construction does not rely on the (implicit/explicit) proof of knowledge property of the underlying universal argument/PCP system, which in turn allows us to benefit from progress on short PCP system of more general types without assuming stronger/superpolynomial hardness.