Results 1  10
of
19
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 125 (32 self)
 Add to MetaCart
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case
 IN PROCEEDINGS OF CRYPTO ’02, LNCS SERIES
, 2002
"... We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. n ..."
Abstract

Cited by 71 (2 self)
 Add to MetaCart
We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. noninteractive noncommitting encryption. This separation between the models is due to the socalled programability of the random oracle. We show this by providing a formulation of the RO model in which the oracle is not programmable, and showing that in this model, there does not exist noninteractive noncommitting encryption.
Ring signatures: Stronger definitions, and constructions without random oracles. Cryptology ePrint Archive
, 2005
"... Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group sign ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely “adhoc ” and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users finegrained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and then give separation results proving that our new notions are strictly stronger than previous ones. Next, we show two constructions of ring signature schemes in the standard model: one based on generic assumptions which satisfies our strongest definitions of security, and a second, more efficient scheme achieving weaker security guarantees and more limited functionality. These are the first constructions of ring signature schemes that do not rely on random oracles or ideal ciphers. 1
Adaptively secure feldman VSS and applications to universallycomposable threshold cryptography
 Advances in Cryptology – CRYPTO 2004
, 2004
"... Abstract. We propose the first distributed discretelog key generation (DLKG) protocol from scratch which is adaptivelysecure in the nonerasure model, and at the same time completely avoids the use of interactive zeroknowledge proofs. As a consequence, the protocol can be proven secure in a unive ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
Abstract. We propose the first distributed discretelog key generation (DLKG) protocol from scratch which is adaptivelysecure in the nonerasure model, and at the same time completely avoids the use of interactive zeroknowledge proofs. As a consequence, the protocol can be proven secure in a universallycomposable (UC) like framework which prohibits rewinding. We prove the security in what we call the singleinconsistentplayer (SIP) UC model, which guarantees arbitrary composition as long as all protocols are executed by the same players. As applications, we propose a fully UC threshold Schnorr signature scheme, a fully UC threshold DSS signature scheme, and a SIP UC threshold CramerShoup cryptosystem. Our results are based on a new adaptivelysecure Feldman VSS scheme. Although adaptive security was already addressed by Feldman in the original paper, the scheme requires secure communication, secure erasure, and either a linear number of rounds or digital signatures to resolve disputes. Our scheme overcomes all of these shortcomings, but on the other hand requires some restriction on the corruption behavior of the adversary, which however disappears in some applications including our new DLKG protocol. We also propose several new adaptivelysecure protocols, which may find other applications, like a distributed trapdoorkey generation protocol for Pedersen’s commitment scheme, an adaptivelysecure Pedersen VSS scheme (as a committed VSS), or distributedverifier proofs for proving relations among commitments or even any NP relations in general. 1
Practical and secure solutions for integer comparison
 In Public Key Cryptography (PKC’07), volume 4450 of LNCS
, 2007
"... Abstract. Yao’s classical millionaires ’ problem is about securely determining whether x> y, given two input values x, y, which are held as private inputs by two parties, respectively. The output x> y becomes known to both parties. In this paper, we consider a variant of Yao’s problem in which the i ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. Yao’s classical millionaires ’ problem is about securely determining whether x> y, given two input values x, y, which are held as private inputs by two parties, respectively. The output x> y becomes known to both parties. In this paper, we consider a variant of Yao’s problem in which the inputs x, y as well as the output bit x> y are encrypted. Referring to the framework of secure nparty computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damg˚ard, and Nielsen at Eurocrypt 2001, we develop solutions for integer comparison, which take as input two lists of encrypted bits representing x and y, respectively, and produce an encrypted bit indicating whether x> y as output. Secure integer comparison is an important building block for applications such as secure auctions. In this paper, our focus is on the twoparty case, although most of our results extend to the multiparty case. We propose new logarithmicround and constantround protocols for this setting, which achieve simultaneously very low communication and computational complexities. We analyze the protocols in detail and show that our solutions compare favorably to other known solutions. Key words: Millionaires ’ problem; secure multiparty computation; homomorphic encryption. 1
AdaptivelySecure, NonInteractive PublicKey Encryption
, 2004
"... Adaptivelysecure encryption schemes ensure secrecy even in the presence of an adversary who can corrupt parties in an adaptive manner based on public keys, ciphertexts, and secret data of alreadycorrupted parties. Ideally, an adaptivelysecure encryption scheme should, like standard publickey ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Adaptivelysecure encryption schemes ensure secrecy even in the presence of an adversary who can corrupt parties in an adaptive manner based on public keys, ciphertexts, and secret data of alreadycorrupted parties. Ideally, an adaptivelysecure encryption scheme should, like standard publickey encryption, allow arbitrarilymany parties to use a single encryption key to securely encrypt arbitrarilymany messages to a given receiver who maintains only a single short decryption key. However, it is known that these requirements are impossible to achieve: no noninteractive encryption scheme that supports encryption of an unbounded number of messages and uses a single, unchanging decryption key can be adaptively secure. Impossibility holds even if secure data erasure is possible.
Improved NonCommitting Encryption with Applications to Adaptively Secure Protocols
"... Abstract. We present a new construction of noncommitting encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2r ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. We present a new construction of noncommitting encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2round protocol, matching the round complexity of Canetti et al. and improving upon that in Damg˚ard and Nielsen. – Weaker assumptions. Our construction is based on trapdoor simulatable cryptosystems, a new primitive that we introduce as a relaxation of those used in previous works. We also show how to realize this primitive based on hardness of factoring. – Improved efficiency. The amortized complexity of encrypting a single bit is O(1) public key operations on a constantsized plaintext in the underlying cryptosystem. As a result, we obtain the first noncommitting publickey encryption schemes under hardness of factoring and worstcase lattice assumptions; previously, such schemes were only known under the CDH and RSA assumptions. Combined with existing work on secure multiparty computation, we obtain protocols for multiparty computation secure against a malicious adversary that may adaptively corrupt an arbitrary number of parties under weaker assumptions than were previously known. Specifically, we obtain the first adaptively secure multiparty protocols based on hardness of factoring in both the standalone setting and the UC setting with a common reference string. Key words: publickey encryption, adaptive corruption, noncommitting encryption, secure multiparty computation. 1
On adaptive vs. nonadaptive security of multiparty protocols
 In Eurocrypt ’2001, LNCS 2045
, 2001
"... protocols ..."
Deniable Encryption with Negligible Detection Probability: An Interactive Construction
, 2011
"... Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not gi ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Deniable encryption, introduced in 1997 by Canetti, Dwork, Naor, and Ostrovsky, guarantees that the sender or the receiver of a secret message is able to “fake ” the message encrypted in a specific ciphertext in the presence of a coercing adversary, without the adversary detecting that he was not given the real message. To date, constructions are only known either for weakened variants with separate “honest” and “dishonest ” encryption algorithms, or for singlealgorithm schemes with nonnegligible detection probability. We propose the first senderdeniable public key encryption system with a single encryption algorithm and negligible detection probability. We describe a generic interactive construction based on a public key bit encryption scheme that has certain properties, and we give two examples of encryption schemes with these properties, one based on the quadratic residuosity assumption and the other on trapdoor permutations.
Bideniable publickey encryption
 In CRYPTO
, 2011
"... In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Den ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
In CRYPTO 1997, Canetti et al.put forward the intruiging notion of deniable encryption, which (informally) allows a sender and/or receiver, having already performed some encrypted communication, to produce ‘fake ’ (but legitimatelooking) random coins that open the ciphertext to another message. Deniability is a powerful notion for both practice and theory: apart from its inherent utility for resisting coercion, a deniable scheme is also noncommitting (a useful property in constructing adaptively secure protocols) and secure under selectiveopening attacks on whichever parties can equivocate. To date, however, known constructions have achieved only limited forms of deniability, requiring at least one party to withhold its randomness, and in some cases using an interactive protocol or external parties. In this work we construct bideniable publickey cryptosystems, in which both the sender and receiver can simultaneously equivocate; we stress that the schemes are noninteractive and involve no third parties. One of our systems is based generically on “simulatable encryption ” as defined by Damg˚ard and Nielsen (CRYPTO 2000), while the other is latticebased and builds upon the results of Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that may be of independent interest. Both schemes work in the socalled “multidistributional ” model, in which the parties run alternative keygeneration and encryption algorithms for equivocable communication, but claim under coercion to have run the prescribed algorithms. Although multidistributional deniability has not attracted much attention, we argue that it is meaningful and useful because it provides credible coercion resistance in certain settings, and suffices for all of the related properties mentioned above. Keywords. Deniable encryption, noncommitting encryption, simulatable encryption, lattice cryptography.