Results 1  10
of
22
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 84 (17 self)
 Add to MetaCart
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Secure Computation Without Authentication
 In CRYPTO 2005, SpringerVerlag (LNCS 3621
, 2005
"... Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthent ..."
Abstract

Cited by 22 (11 self)
 Add to MetaCart
Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the honest parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticatedchannel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in itself, and also independent of the computation in the other sets. In the basic setting our construction provides, for the first time, nontrivial security guarantees in a model with no setup assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including passwordbased authenticated key exchange and nonmalleable commitments. As an application of our results, we study the question of constructing secure protocols in partiallyauthenticated networks, where some of the links are authenticated and some are not (as is the case in most networks today).
InformationTheoretically Secure Protocols and Security Under Composition
 In the em 38th STOC
, 2006
"... We investigate the question of whether security of protocols in the informationtheoretic setting (where the adversary is computationally unbounded) implies the security of these protocols under concurrent composition. This question is motivated by the folklore that all known protocols that are secu ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
We investigate the question of whether security of protocols in the informationtheoretic setting (where the adversary is computationally unbounded) implies the security of these protocols under concurrent composition. This question is motivated by the folklore that all known protocols that are secure in the informationtheoretic setting are indeed secure under concurrent composition. We provide answers to this question for a number of different settings (i.e., considering perfect versus statistical security, and concurrent composition with adaptive versus fixed inputs). Our results enhance the understanding of what is necessary for obtaining security under composition, as well as providing tools (i.e., composition theorems) that can be used for proving the security of protocols under composition while considering only the standard standalone definitions of security.
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks,” in CRYPTO, 2004. A Cryptographic Assumptions We define the hardness assumptions that we use in the security proof of our optimized
 Similarly, B recovers Wmid(x) and Ymid(x) such that Wmid = Wmid(s) and Ymid = Ymid(s). Then, it sets H(x) = ((v0(x)+V (x))(w0(x)+W(x))−(y0(x)+Y (x)))/t(x), where V (x) = ∑k∈[N] ckvk(x) +Vmid(x) (and similarly for W(x) and Y (x)). Since the
"... Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumpt ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption. 1
Concurrentlysecure blind signatures without random oracles or setup assumptions
 In TCC 2007
, 2007
"... ..."
Lower Bounds and Impossibility Results for Concurrent Self Composition
 the Journal of Cryptology
, 2004
"... In the setting of concurrent self composition, a single protocol is executed many times concurrently by a single set of parties. In this paper, we prove lower bounds and impossibility results for secure protocols in this setting. First and foremost, we prove that there exist large classes of func ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
In the setting of concurrent self composition, a single protocol is executed many times concurrently by a single set of parties. In this paper, we prove lower bounds and impossibility results for secure protocols in this setting. First and foremost, we prove that there exist large classes of functionalities that cannot be securely computed under concurrent self composition, by any protocol. We also prove a communication complexity lower bound on protocols that securely compute a large class of functionalities in this setting. Specifically, we show that any protocol that computes a functionality from this class and remains secure for m concurrent executions, must have bandwidth of at least m bits. The above results are unconditional and hold for any type of simulation (i.e., even for nonblackbox simulation). In addition, we prove a severe lower bound on protocols that are proven secure using blackbox simulation. Specifically, we show that any protocol that computes the blind signature or oblivious transfer functionalities and remains secure for m concurrent executions, where security is proven via blackbox simulation, must have at least m rounds of communication. Our results hold for the plain model, where no trusted setup phase is assumed. While proving our impossibility results, we also show that for many functionalities, security under concurrent self composition (where a single secure protocol is run many times) is actually equivalent to the seemingly more stringent requirement of security under concurrent general composition (where a secure protocol is run concurrently with other arbitrary protocols). This observation has significance beyond the impossibility results that are derived by it for concurrent self composition.
Adaptive Hardness and Composable Security in the Plain Model from Standard Assumptions
"... Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permuta ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permutations. The notion of security fits within a generalization of the “angelbased” framework of Prabhakaran and Sahai (STOC’04) and implies superpolynomial time simulation security. Security notions of this kind are currently known to be realizable only under strong and specific hardness assumptions. A key element in our construction is a commitment scheme that satisfies a new and strong notion of security. The notion, security against chosencommitmentattacks (CCA security), means that security holds even if the attacker has access to a extraction oracle that gives the adversary decommitment information to commitments of the adversary’s choice. This notion is stronger than concurrent nonmalleability and is of independent interest. We construct CCAsecure commitments based on standard oneway functions, and with no trusted setup. To the best of our knowledge, this provides the first construction of a natural cryptographic primitive requiring adaptive hardness from standard hardness assumptions, using no trusted setup or public keys. Keywordscryptography; adaptive hardness; secure multiparty computation; composable security I.
Concurrent NonMalleable Zero Knowledge
, 2006
"... We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol # such that for every polynomialtime adversary that can adaptively and concurrently schedule polynomially many executions of #, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomialtime simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier.
Concurrently NonMalleable ZeroKnowledge in the Authenticated PublicKey Model. Cryptology ePrint Archive
, 2006
"... We consider a type of zeroknowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zeroknowledge arguments of knowledge that remain secure against concurrent maninthemiddle attacks. As negative results in the area of concurrent nonm ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We consider a type of zeroknowledge protocols that are of interest for their practical applications within networks like the Internet: efficient zeroknowledge arguments of knowledge that remain secure against concurrent maninthemiddle attacks. As negative results in the area of concurrent nonmalleable zeroknowledge imply that protocols in the standard setting (i.e., under no setup assumptions) can only be given for trivial languages, researchers have studied such protocols in models with setup assumptions, such as the common reference string (CRS) model. This model assumes that a reference string is honestly created at the beginning of all interactions and later available to all parties (an assumption that is satisfied, for instance, in the presence of a trusted party). A growing area of research in Cryptography is that of reducing the setup assumptions under which certain cryptographic protocols can be realized. In an effort to reduce the setup assumptions required for efficient zeroknowledge arguments of knowledge that remain secure against concurrent maninthemiddle attacks, we consider a model, which we call the Authenticated PublicKey (APK) model. The APK model seems to significantly reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized algorithm are required), and can be seen as a slightly stronger variation of the Bare PublicKey (BPK) model from [8, 30], and a weaker variation of the registered publickey model used in [3]. We then define and study