Results 1  10
of
98
Security and Composition of Multiparty Cryptographic Protocols
 JOURNAL OF CRYPTOLOGY
, 1998
"... We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions f ..."
Abstract

Cited by 389 (18 self)
 Add to MetaCart
We present general definitions of security for multiparty cryptographic protocols, with focus on the task of evaluating a probabilistic function of the parties' inputs. We show that, with respect to these definitions, security is preserved under a natural composition operation. The definitions follow the general paradigm of known definitions; yet some substantial modifications and simplifications are introduced. The composition operation is the natural `subroutine substitution' operation, formalized by Micali and Rogaway. We consider several standard settings for multiparty protocols, including the cases of eavesdropping, Byzantine, nonadaptive and adaptive adversaries, as well as the informationtheoretic and the computational models. In particular, in the computational model we provide the first definition of security of protocols that is shown to be preserved under composition.
A modular approach to the design and analysis of authentication and key exchange protocols
, 1998
"... We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key e ..."
Abstract

Cited by 223 (20 self)
 Add to MetaCart
We present a general framework for constructing and analyzing authentication protocols in realistic models of communication networks. This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols. The key element in our approach is a modular treatment of the authentication problem in cryptographic protocols; this applies to the definition of security, to the design of the protocols, and to their analysis. In particular, following this modular approach, we show how to systematically transform solutions that work in a model of idealized authenticated communications into solutions that are secure in the realistic setting of communication channels controlled by an active adversary. Using these principles we construct and prove the security of simple and practical authentication and keyexchange protocols. In particular, we provide a security analysis of some wellknown key exchange protocols (e.g. authenticated DiffieHellman key exchange), and of some of the techniques underlying the design of several authentication protocols that are currently being
Robust Threshold DSS Signatures
, 1996
"... . We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forg ..."
Abstract

Cited by 122 (12 self)
 Add to MetaCart
. We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n=3 players who refuse to participate in the signature protocol. We can also endure n=4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability. Our results significantly improve over a recent result by Langford from CRYPTO'95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted player...
General Secure MultiParty Computation from any Linear SecretSharing Scheme
, 2000
"... Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neith ..."
Abstract

Cited by 122 (20 self)
 Add to MetaCart
Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC. Our approach to secure MPC is generic and applies to both the informationtheoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all). The protocols are efficient. In contrast to all previous informationtheoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for nonthreshold adversaries provably have superpolynomial complexity. 1
Multiparty Computation from Threshold Homomorphic Encryption
, 2001
"... Abstract. We introduce a new approach to multiparty computation (MPC) basing it on homomorphic threshold cryptosystems. We show that given keys for any sufficiently efficient system of this type, general MPC protocols for n parties can be devised which are secure against an active adversary that co ..."
Abstract

Cited by 114 (14 self)
 Add to MetaCart
Abstract. We introduce a new approach to multiparty computation (MPC) basing it on homomorphic threshold cryptosystems. We show that given keys for any sufficiently efficient system of this type, general MPC protocols for n parties can be devised which are secure against an active adversary that corrupts any minority of the parties. The total number of bits broadcast is O(nkC), where k is the security parameter and C  is the size of a (Boolean) circuit computing the function to be securely evaluated. An earlier proposal by Franklin and Haber with the same complexity was only secure for passive adversaries, while all earlier protocols with active security had complexity at least quadratic in n. We give two examples of threshold cryptosystems that can support our construction and lead to the claimed complexities. 1
Secure multiparty computation of approximations
, 2001
"... Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the ..."
Abstract

Cited by 98 (24 self)
 Add to MetaCart
Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations. We start by extending standard definitions of secure (exact) computation to the setting of secure approximations. Our definitions guarantee that no additional information is revealed by the approximation beyond what follows from the output of the function being approximated. We then study the complexity of specific secure approximation problems. In particular, we obtain a sublinearcommunication protocol for securely approximating the Hamming distance and a polynomialtime protocol for securely approximating the permanent and related #Phard problems. 1
Simplified VSS and Fasttrack Multiparty Computations with Applications to Threshold Cryptography
, 1998
"... The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret ..."
Abstract

Cited by 84 (5 self)
 Add to MetaCart
The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic primitives and avoids altogether the need for expensive zeroknowledge proofs. This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a major component in secure multiparty computation protocols and accounts for much of the complexity of proposed solutions. Using our protocol as a plugin unit in known protocols reduces their complexity. We show how to achieve efficient multiparty computations in the computational model, through the application of homomorphic commitments. Finally, we present fasttrack multiparty computation protocols. In a model in which malicious faults are rare we s...
Adaptively Secure Multiparty Computation
, 1996
"... A fundamental problem in designing secure multiparty protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographi ..."
Abstract

Cited by 77 (8 self)
 Add to MetaCart
A fundamental problem in designing secure multiparty protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographic primitives based on the computational limitations of the adversary.
Studies in Secure Multiparty Computation and Applications
, 1996
"... Consider a set of parties who do not trust each other, nor the channels by which they communicate. Still, the parties wish to correctly compute some common function of their local inputs, while keeping their local data as private as possible. This, in a nutshell, is the problem of secure multiparty ..."
Abstract

Cited by 77 (8 self)
 Add to MetaCart
Consider a set of parties who do not trust each other, nor the channels by which they communicate. Still, the parties wish to correctly compute some common function of their local inputs, while keeping their local data as private as possible. This, in a nutshell, is the problem of secure multiparty computation. This problem is fundamental in cryptography and in the study of distributed computations. It takes many different forms, depending on the underlying network, on the function to be computed, and on the amount of distrust the parties have in each other and in the network. We study several aspects of secure multiparty computation. We first present new definitions of this problem in various settings. Our definitions draw from previous ideas and formalizations, and incorporate aspects that were previously overlooked. Next we study the problem of dealing with adaptive adversaries. (Adaptive adversaries are adversaries that corrupt parties during the course of the computation, based on...
Parallel CoinTossing and ConstantRound Secure TwoParty Computation
 Journal of Cryptology
, 2001
"... Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that e ..."
Abstract

Cited by 76 (14 self)
 Add to MetaCart
Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that ensures security only in the face of semihonest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constantround protocol for secure cointossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constantround protocol for securely computing any twoparty functionality. On the subject of cointossing, we also present a constantround perfect cointossing protocol, where by “perfect ” we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom). 1