Results 1  10
of
21
Oblivious transfer in the bounded storage model
 In Advances in Cryptology  CRYPTO 2001
, 2001
"... Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any rece ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any receiver who can store γn bits, γ<1. Our work improves the work of CCM [15] in two ways. First, the CCM protocol requires the sender and receiver to store O(n c) bits, c ∼ 2/3. We give a similar but more efficient protocol that just requires the sender and receiver to store O ( √ kn) bits, where k is a security parameter. Second, the basic CCM Protocol was proved in [15] to guarantee that a dishonest receiver who can store O(n) bits succeeds with probability at most O(n −d), d ∼ 1/3, although repitition of the protocol can make this probability of cheating exponentially small [20]. Combining the methodologies of [24] and [15], we prove that in our protocol, a dishonest storagebounded receiver succeeds with probability only 2 −O(k) , without repitition of the protocol. Our results answer an open problem raised by CCM in the affirmative. 1
A twoserver, sealedbid auction protocol
 In Sixth Annual Proceedings of Financial Cryptography
, 2002
"... Abstract. Naor, Pinkas, and Sumner introduced and implemented a sealedbid, twoserver auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious transfer, their system aims to ensure privacy and correctness provided that at least o ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Abstract. Naor, Pinkas, and Sumner introduced and implemented a sealedbid, twoserver auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious transfer, their system aims to ensure privacy and correctness provided that at least one auction server behaves honestly. As observed in [19], however, the NPS system suffers from a security flaw in which one of the two servers can cheat so as to modify bids almost arbitrarily and without detection. We propose a means of repairing this flaw while preserving the attractive practical elements of the NPS protocol, including minimal round complexity for servers and minimal computation by players providing private inputs. Our proposal requires a slightly greater amount of computation and communication on the part of the two auction servers, but actually involves much less computation on the part of bidders. This latter feature makes our proposal particularly attractive for use with lowpower devices. While the original proposal of NPS involved several dozen exponentiations for a typical auction, ours by contrast involves only several dozen modular multiplications. The key idea in our proposal is a form of oblivious transfer that we refer to as verifiable proxy oblivious transfer (VPOT). Key words: auction, sealedbid auction, oblivious transfer, secure multiparty computation, secure function evaluation 1
Oblivious Transfer is Symmetric
 In EUROCRYPT 2006, Springer (LNCS 4004
, 2006
"... Abstract. We show that oblivious transfer of bits from A to B can be obtained from a single instance of the same primitive from B to A. Our reduction is perfect and shows that oblivious transfer is in fact a symmetric functionality. This solves an open problem posed by Crépeau and Sántha in 1991. 1 ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. We show that oblivious transfer of bits from A to B can be obtained from a single instance of the same primitive from B to A. Our reduction is perfect and shows that oblivious transfer is in fact a symmetric functionality. This solves an open problem posed by Crépeau and Sántha in 1991. 1
Commitment Capacity of Discrete Memoryless Channels
 In: Cryptography and Coding. LNCS
, 2003
"... In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum e ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum equivocation of the channel (after removing trivial redundancy), even when unlimited noiseless bidirectional side communication is allowed. By a wellknown reduction, this result provides a lower bound on the channels capacity for implementing coin tossing, which we conjecture to be an equality. The method of proving this...
Zeroerror information and applications in cryptography
 In Proceedings of 2004 IEEE Information Theory Workshop (ITW
, 2004
"... Abstract — In analogy to the zeroerror variant of the channel capacity, the zeroerror information between two random variables is defined. We show that our definition is natural in the sense that the representation of the channel capacity with respect to mutual information carries over to the zero ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract — In analogy to the zeroerror variant of the channel capacity, the zeroerror information between two random variables is defined. We show that our definition is natural in the sense that the representation of the channel capacity with respect to mutual information carries over to the zeroerror variants of the quantities. It is shown that the new notion, together with two operators introduced in the same context, namely the common random variable of two random variables and the dependent part of a random variable with respect to another, is useful for giving characterizations of the possibility of realizing cryptographic tasks— such as bit commitment, coin tossing, or oblivious transfer— from correlated pieces of information. I.
Constructions and Bounds for Unconditionally Secure NonInteractive Commitment Schemes
 Commitment Schemes, Designs, Codes, and Cryptography
, 2002
"... Commitment schemes have been extensively studied since they were introduced by Blum in 1982. Rivest recently showed how to construct unconditionally secure noninteractive commitment schemes, assuming the existence of a trusted initializer. In this paper, we present a formal mathematical model for u ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Commitment schemes have been extensively studied since they were introduced by Blum in 1982. Rivest recently showed how to construct unconditionally secure noninteractive commitment schemes, assuming the existence of a trusted initializer. In this paper, we present a formal mathematical model for unconditionally secure noninteractive commitment schemes with a trusted initializer and analyze their binding and concealing properties. In particular, we show that such schemes cannot be perfectly binding: there is necessarily a small probability that Alice can cheat Bob by committing to one value but later revealing a dierent value. We prove several bounds on Alice's cheating probability, and present constructions of schemes that achieve optimal cheating probabilities. We also analyze a class of commitment schemes based on resolvable designs. 1
New monotones and lower bounds in unconditional twoparty computation
 In Advances in Cryptology — CRYPTO ’05
, 2005
"... Abstract. Since bit and string oblivious transfer and commitment, two primitives of paramount importance in secure two and multiparty computation, cannot be realized in an unconditionally secure way for both parties from scratch, reductions to weak informationtheoretic primitives as well as betwe ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Abstract. Since bit and string oblivious transfer and commitment, two primitives of paramount importance in secure two and multiparty computation, cannot be realized in an unconditionally secure way for both parties from scratch, reductions to weak informationtheoretic primitives as well as between different variants of the functionalities are of great interest. In this context, we introduce three independent monotones—quantities that cannot be increased by any protocol—and use them to derive lower bounds on the possibility and efficiency of such reductions. An example is the transition between different versions of oblivious transfer, for which we also propose a new protocol allowing to increase the number of messages the receiver can choose from at the price of a reduction of their length. Our scheme matches the new lower bound and is, therefore, optimal. 1 Introduction, Motivation
On Unconditionally Secure Distributed Oblivious Transfer
 PROGRESS IN CRYPTOLOGY: PROCEEDINGS OF INDOCRYPT 2002, LNCS, SPRINGERVERLAG
, 2002
"... This work is about distributed protocols for oblivious transfer, proposed by Naor and Pinkas, and recently generalized by Blundo et. al. In this settings a Sender has n secrets and a Receiver is interested in one of them. The Sender distributes the information about the secrets to m servers, and ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
This work is about distributed protocols for oblivious transfer, proposed by Naor and Pinkas, and recently generalized by Blundo et. al. In this settings a Sender has n secrets and a Receiver is interested in one of them. The Sender distributes the information about the secrets to m servers, and a Receiver must contact a threshold of the servers in order to compute the secret. These distributed oblivious transfer protocols provide information theoretic security. We present impossibility result and lower bound for existence of oneround threshold distributed oblivious transfer protocols, generalizing the results of Blundo et. al. A threshold based construction implementing 1outofn distributed oblivious transfer achieving the proved lower bound for existence is proposed. A
Errortolerant combiners for oblivious primitives
"... Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize this concept by introducing errortolerant combiners, which in addition to protection against insecure implementations provide tolerance to functionality failures: an errortolerant combiner guarantees a secure and correct implementation of the output primitive even if some of the candidates are insecure or faulty. We present simple constructions of errortolerant robust combiners for oblivious linear function evaluation. The proposed combiners are also interesting in the regular (not errortolerant) case, as the construction is much more efficient than the combiners known for oblivious transfer. 1
Unconditionally Secure Anonymous Encryption and Group Authentication 1
, 2005
"... Anonymous channels or similar techniques that achieve sender’s anonymity play important roles in many applications, e.g. electronic voting. However, they will be meaningless if cryptographic primitives containing sender’s identity are carelessly used during the transmission. In computationally secur ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Anonymous channels or similar techniques that achieve sender’s anonymity play important roles in many applications, e.g. electronic voting. However, they will be meaningless if cryptographic primitives containing sender’s identity are carelessly used during the transmission. In computationally secure settings, this problem may be easily overcome by using public key encryption and group signatures. However, in an unconditionally secure setting, in which no computational difficulty is assumed, this is not an easy case as such. As the increasing computational power approaches the point where security policy can no longer assume the difficulty of solving factoring or discrete logarithm problems, it must shift its focus to assuring the solvency of unconditionally secure schemes that provide longterm security. The main contribution of this paper is to study the security primitives for the above problem. In this paper, we first define the unconditionally secure asymmetric encryption scheme, which is an encryption scheme with unconditional security and where it is impossible for a receiver to deduce the identity of a sender from the encrypted message. We also investigate tight lower bounds on required memory sizes from an information theoretic viewpoint and show an optimal construction based on polynomials. It is remarkable to see that these bounds are considerably different from those in Shannon’s model of the conventional unconditionally secure symmetric encryption. Other than the polynomialbased scheme,