Results 1  10
of
43
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 110 (19 self)
 Add to MetaCart
(Show Context)
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Secure Computation Without Authentication
 In CRYPTO 2005, SpringerVerlag (LNCS 3621
, 2005
"... Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthent ..."
Abstract

Cited by 31 (11 self)
 Add to MetaCart
(Show Context)
Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the honest parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticatedchannel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in itself, and also independent of the computation in the other sets. In the basic setting our construction provides, for the first time, nontrivial security guarantees in a model with no setup assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including passwordbased authenticated key exchange and nonmalleable commitments. As an application of our results, we study the question of constructing secure protocols in partiallyauthenticated networks, where some of the links are authenticated and some are not (as is the case in most networks today).
Multitrapdoor commitments and their applications to proofs of knowledge secure under concurrent maninthemiddle attacks (Extended Abstract)
 IN CRYPTO
, 2004
"... We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The ..."
Abstract

Cited by 30 (2 self)
 Add to MetaCart
(Show Context)
We introduce the notion of multitrapdoor commitments which is a stronger form of trapdoor commitment schemes. We then construct two very efficient instantiations of multitrapdoor commitment schemes, one based on the Strong RSA Assumption and the other on the Strong DiffieHellman Assumption. The main application of our new notion is the construction of a compiler that takes any proof of knowledge and transforms it into one which is secure against a concurrent maninthemiddle attack (in the common reference string model). When using our specific implementations, this compiler is very efficient (requires no more than four exponentiations) and maintains the round complexity of the original proof of knowledge. The main practical applications of our results are concurrently secure identification protocols. For these applications our results are the first simple and efficient solutions based on the Strong RSA or DiffieHellman Assumption.
InformationTheoretically Secure Protocols and Security Under Composition
 In the em 38th STOC
, 2006
"... We investigate the question of whether security of protocols in the informationtheoretic setting (where the adversary is computationally unbounded) implies the security of these protocols under concurrent composition. This question is motivated by the folklore that all known protocols that are secu ..."
Abstract

Cited by 29 (5 self)
 Add to MetaCart
We investigate the question of whether security of protocols in the informationtheoretic setting (where the adversary is computationally unbounded) implies the security of these protocols under concurrent composition. This question is motivated by the folklore that all known protocols that are secure in the informationtheoretic setting are indeed secure under concurrent composition. We provide answers to this question for a number of different settings (i.e., considering perfect versus statistical security, and concurrent composition with adaptive versus fixed inputs). Our results enhance the understanding of what is necessary for obtaining security under composition, as well as providing tools (i.e., composition theorems) that can be used for proving the security of protocols under composition while considering only the standard standalone definitions of security.
How to play almost any mental game over the net  concurrent composition via superpolynomial simulation
 In Proceedings of the 46th Annual Symposium on Foundations of Computer Science  FOCS’05
, 2005
"... We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
(Show Context)
We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted parties, common reference string, honest majority or synchronicity of the network. The relaxation of security is obtained by allowing the idealmodel simulator to run in quaipolynomial (as opposed to polynomial) time. Quasipolynomial simulation suffices to ensure security for most applications of multiparty computation. Furthermore, Lindell (FOCS ’03, TCC ’ 04) recently showed that such a protocol is impossible to obtain under the more standard definition of polynomialtime simulation by an ideal adversary.
Concurrentlysecure blind signatures without random oracles or setup assumptions
 In TCC 2007
, 2007
"... ..."
(Show Context)
Adaptive Hardness and Composable Security in the Plain Model from Standard Assumptions
"... Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permuta ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permutations. The notion of security fits within a generalization of the “angelbased” framework of Prabhakaran and Sahai (STOC’04) and implies superpolynomial time simulation security. Security notions of this kind are currently known to be realizable only under strong and specific hardness assumptions. A key element in our construction is a commitment scheme that satisfies a new and strong notion of security. The notion, security against chosencommitmentattacks (CCA security), means that security holds even if the attacker has access to a extraction oracle that gives the adversary decommitment information to commitments of the adversary’s choice. This notion is stronger than concurrent nonmalleability and is of independent interest. We construct CCAsecure commitments based on standard oneway functions, and with no trusted setup. To the best of our knowledge, this provides the first construction of a natural cryptographic primitive requiring adaptive hardness from standard hardness assumptions, using no trusted setup or public keys. Keywordscryptography; adaptive hardness; secure multiparty computation; composable security I.
Concurrent NonMalleable Zero Knowledge
 In Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science
, 2006
"... We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language inNP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol Π ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language inNP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol Π such that for every polynomialtime adversary that can adaptively and concurrently schedule polynomially many executions of Π, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomialtime simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier. Our security model is the traditional model for concurrent zero knowledge, where the statements to be proven by the honest provers are fixed in advance and do not depend on the previous history (but can be correlated with each other); corrupted provers, of course, can chose the statements adaptively. We also prove that there exists some functionality F (a combination of zero knowledge and oblivious transfer) such that it is impossible to obtain a concurrent nonmalleable protocol for F in this model. Previous impossibility results for composable protocols ruled out existence of protocols for a wider class of functionalities (including zero knowledge!) but only if these protocols were required to remain secure when executed concurrently with arbitrarily chosen different protocols (Lindell, FOCS 2003) or if these protocols were required to remain secure when the honest parties ’ inputs in each execution are chosen adaptively based on the results of previous executions