Results 1  10
of
88
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 82 (16 self)
 Add to MetaCart
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Universal Composition with Joint State
, 2002
"... We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are assumed to have completely disjoint local states, the new operation allows the composed protocols to have some amount of joint state (and, in particular, joint randomness) while still guaranteeing strong composability properties.
Symmetric Encryption in Automatic Analyses for Confidentiality against Active Adversaries
, 2004
"... In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns fo ..."
Abstract

Cited by 53 (2 self)
 Add to MetaCart
In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns for cryptographic protocols (they did it for formal expressions), such that the protocol is secure iff the patterns are. We then statically analyse the patterns, they should be easier to analyse than the protocols themselves. We consider symmetric encryption as the cryptographic primitive in protocols. Handling this primitive has so far received comparatively less attention in approaches striving to unite the formal and computational models of cryptography.
Boundedconcurrent secure twoparty computation without setup assumptions
 STOC 2003
, 2003
"... ..."
General composition and universal composability in secure multiparty computation
 In FOCS ’03
, 2003
"... Concurrent general composition relates to a setting where a secure protocol is run in a network concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols are executed concurrently. ..."
Abstract

Cited by 42 (10 self)
 Add to MetaCart
Concurrent general composition relates to a setting where a secure protocol is run in a network concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols are executed concurrently. Canetti (FOCS 2001) introduced the notion of universal composability, and showed that security under this definition is sufficient for achieving concurrent general composition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition is equivalent to a relaxed variant of universal composability (where the only difference relates to the order of quantifiers in the definition). An important corollary of this theorem is that existing impossibility results for universal composability (or actually its relaxed variant) are inherent in any definition achieving security under concurrent general composition. In particular, there are large classes of twoparty functionalities for which it is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not “blackbox”, and apply even to nonblackbox simulation. Our main result also demonstrates that the definition of universal composability is somewhat “minimal”, in that the composition guarantee provided by universal composability (almost) implies the definition itself. This indicates that the security definition of universal composability is not overly restrictive.
Universally composable multiparty computation using tamperproof hardware
 In EUROCRYPT, Lecture Notes in Computer Science
, 2007
"... Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted r ..."
Abstract

Cited by 39 (2 self)
 Add to MetaCart
Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted researchers to propose various “setup assumptions ” with which to augment the bare UC framework in order to bypass this severe negative result. Existing setup assumptions seem to inherently require some trusted party (or parties) to initialize the setup in the real world. We propose a new setup assumption — more along the lines of a physical assumption regarding the existence of tamperproof hardware — which also suffices to circumvent the impossibility result mentioned above. We suggest this assumption as potentially leading to an approach that might alleviate the need for trusted parties, and compare our assumption to those proposed previously. 1
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 37 (3 self)
 Add to MetaCart
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
RoundOptimal Secure TwoParty Computation
 In CRYPTO 2004
, 2004
"... We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despit ..."
Abstract

Cited by 33 (4 self)
 Add to MetaCart
We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despite extensive research in this area, the exact roundcomplexity of this fundamental problem (i.e., the number of rounds required to compute an arbitrary polytime functionality) was not previously known.
Round Efficiency of MultiParty Computation with a Dishonest Majority
 In Eurocrypt ’03, 2003. LNCS
, 2003
"... Abstract. We consider the round complexity of multiparty computation in the presence of a static adversary who controls a majority of the parties. Here, n players wish to securely compute some functionality and up to n − 1 of these players may be arbitrarily malicious. Previous protocols for this s ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
Abstract. We consider the round complexity of multiparty computation in the presence of a static adversary who controls a majority of the parties. Here, n players wish to securely compute some functionality and up to n − 1 of these players may be arbitrarily malicious. Previous protocols for this setting (when a broadcast channel is available) require O(n) rounds. We present two protocols with improved round complexity: The first assumes only the existence of trapdoor permutations and dense cryptosystems, and achieves round complexity O(log n) based on a proof scheduling technique of Chor and Rabin [13]; the second requires a stronger hardness assumption (along with the nonblackbox techniques of Barak [2]) and achieves O(1) round complexity. 1
Composition of Cryptographic Protocols in a Probabilistic PolynomialTime Process Calculus
 Proceedings of CONCUR 2003  Concurrency Theory, volume 2761 of LNCS
, 2003
"... We use the probabilistic polynomialtime process calculus introduced in [15] to derive compositionality properties of cryptographic protocols in the presence of computationally bounded adversaries. We focus on four types of protocols: oblivious transfer (OT), secure function evaluation, zeroknow ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
We use the probabilistic polynomialtime process calculus introduced in [15] to derive compositionality properties of cryptographic protocols in the presence of computationally bounded adversaries. We focus on four types of protocols: oblivious transfer (OT), secure function evaluation, zeroknowledge proofs and secure channel implementation. A general de nition for all these cases is established following the general paradigm that a protocol is secure i it can emulate an ideal protocol. To this end, we capitalize on the semantics of the calculus and extract a Markov process of observations to set up the notion of emulation. Emulation turns out to be a congruence relation and this result leads to a general composition theorem. We derive as a corollary an associated composition result for each of the four types of protocols considered, encompassing in some cases both active and passive adversaries. As an illustration of the concepts and results in an intuitive and simple manner, we give special emphasis to the simple case of OT, incorporating an example of the protocol. Finally, we compare our approach with the approaches by Canetti in [5] and P tzmann et al in [22].