Results 1  10
of
39
Oblivioustransfer amplification
 In Proc. EUROCRYPT ’07
"... Oblivious transfer (OT) is a primitive of paramount importance in cryptography or, more precisely, two and multiparty computation due to its universality. Unfortunately, OT cannot be achieved in an unconditionally secure way for both parties from scratch. Therefore, it is a natural question what i ..."
Abstract

Cited by 28 (7 self)
 Add to MetaCart
Oblivious transfer (OT) is a primitive of paramount importance in cryptography or, more precisely, two and multiparty computation due to its universality. Unfortunately, OT cannot be achieved in an unconditionally secure way for both parties from scratch. Therefore, it is a natural question what informationtheoretic primitives or computational assumptions OT can be based on. The results in our paper are threefold. First, we show how to optimally realize unconditionally secure OT from a weak variant of OT called universal OT, for which a malicious receiver can virtually obtain any possible information he wants, as long as he does not get all the information. This result is based on a novel distributed leftover hashlemma which is of independent interest. Second, we give conditions for when OT can be obtained from a faulty variant of OT called weak OT, for which it can occur that any of the parties obtains too much information, or the result is incorrect. These bounds and protocols, which correct on previous results by Damg˚ard et. al., are of central interest since in most known realizations of OT from weak primitives, such as noisy channels, a weak OT is constructed first. Finally, we carry over our results to the computational setting and show how a weak OT that is sometimes incorrect and is only mildly secure against computationally bounded adversaries can be strengthened.
On the impossibility of efficiently combining collision resistant hash functions
 In Proc. Crypto ’06
, 2006
"... Abstract. Let H1, H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better constr ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Let H1, H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better construction exists, namely, can we hedge our bets without doubling the size of the output? We take a step towards answering this question in the negative — we show that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions. 1
Unconditional security from noisy quantum storage
, 2009
"... We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide sec ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
We consider the implementation of twoparty cryptographic primitives based on the sole assumption that no largescale reliable quantum storage is available to the cheating party. We construct novel protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide security even against the most general attack. Such unconditional results were previously only known in the socalled boundedstorage model which is a special case of our setting. Our protocols can be implemented with presentday hardware used for quantum key distribution. In particular, no quantum storage is required for the honest parties.
On robust combiners for private information retrieval and other primitives
 CRYPTO
, 2006
"... Abstract. Let A and B denote cryptographic primitives. A (k, m)robust AtoB combiner is a construction, which takes m implementations of primitive A as input, and yields an implementation of primitive B, which is guaranteed to be secure as long as at least k input implementations are secure. The ma ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Abstract. Let A and B denote cryptographic primitives. A (k, m)robust AtoB combiner is a construction, which takes m implementations of primitive A as input, and yields an implementation of primitive B, which is guaranteed to be secure as long as at least k input implementations are secure. The main motivation for such constructions is the tolerance against wrong assumptions on which the security of implementations is based. For example, a (1,2)robust AtoB combiner yields a secure implementation of B even if an assumption underlying one of the input implementations of A turns out to be wrong. In this work we study robust combiners for private information retrieval (PIR), oblivious transfer (OT), and bit commitment (BC). We propose a (1,2)robust PIRtoPIR combiner, and describe various optimizations based on properties of existing PIR protocols. The existence of simple PIRtoPIR combiners is somewhat surprising, since OT, a very closely related primitive, seems difficult to combine (Harnik et al., Eurocrypt’05). Furthermore, we present (1,2)robust PIRtoOT and PIRtoBC combiners. To the best of our knowledge these are the first constructions of AtoB combiners with A � = B. Such combiners, in addition to being interesting in their own right, offer insights into relationships between cryptographic primitives. In particular, our PIRtoOT combiner together with the impossibility result for OTcombiners of Harnik et al. rule out certain types of reductions of PIR to OT. Finally, we suggest a more finegrained approach to construction of robust combiners, which may lead to more efficient and practical combiners in many scenarios.
NonTrivial BlackBox Combiners for CollisionResistant HashFunctions don’t Exist
 Advances in Cryptology — Eurocrypt 2007, Lecture Notes in Computer Science
"... Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the ou ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. A (k, `)robust combiner for collisionresistant hashfunctions is a construction which from ` hashfunctions constructs a hashfunction which is collisionresistant if at least k of the components are collisionresistant. One trivially gets a (k, `)robust combiner by concatenating the output of any ` − k + 1 of the components, unfortunately this is not very practical as the length of the output of the combiner is quite large. We show that this is unavoidable as no blackbox (k, `)robust combiner whose output is significantly shorter than what can be achieved by concatenation exists. This answers a question of Boneh and Boyen (Crypto’06). 1
A complete publickey cryptosystem
 Groups, Complexity, Cryptology
"... We present a cryptosystem which is complete for the class of probabilistic publickey cryptosystems with bounded error. Besides traditional encryption schemes such as RSA and El Gamal and probabilistic encryption of Goldwasser and Micali, this class contains also AjtaiDwork and NTRU cryptosystems. ..."
Abstract

Cited by 10 (6 self)
 Add to MetaCart
(Show Context)
We present a cryptosystem which is complete for the class of probabilistic publickey cryptosystems with bounded error. Besides traditional encryption schemes such as RSA and El Gamal and probabilistic encryption of Goldwasser and Micali, this class contains also AjtaiDwork and NTRU cryptosystems. The latter two make errors with a small positive probability. 1.
On optimal heuristic randomized semidecision procedures, with applications to proof complexity and cryptography
, 2010
"... ..."
Extracting Correlations
"... Abstract — Motivated by applications in cryptography, we consider a generalization of randomness extraction and the related notion of privacy amplification to the case of two correlated sources. We introduce the notion of correlation extractors, which extract nearly perfect independent instances of ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Abstract — Motivated by applications in cryptography, we consider a generalization of randomness extraction and the related notion of privacy amplification to the case of two correlated sources. We introduce the notion of correlation extractors, which extract nearly perfect independent instances of a given joint distribution from imperfect, or “leaky, ” instances of the same distribution. More concretely, suppose that Alice holds a and Bob holds b, where (a, b) are obtained by taking n independent samples from a joint distribution (X, Y) and letting a include all X instances and b include all Y instances. An adversary Eve obtains partial information about (a, b) by choosing a function L with output length t and learning L(a, b). The goal is to design a protocol between Alice and Bob which may use additional fresh randomness, such that for every L as above the following holds. In the end of the interaction, Alice
Robust MultiProperty Combiners for Hash Functions Revisited
"... Abstract. A robust multiproperty combiner for a set of security properties merges two hash functions such that the resulting function satisfies each of the properties which at least one of the two starting functions has. Fischlin and Lehmann (TCC 2008) recently constructed a combiner which simultan ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract. A robust multiproperty combiner for a set of security properties merges two hash functions such that the resulting function satisfies each of the properties which at least one of the two starting functions has. Fischlin and Lehmann (TCC 2008) recently constructed a combiner which simultaneously preserves collisionresistance, target collisionresistance, message authentication, pseudorandomness and indifferentiability from a random oracle (IRO). Their combiner produces outputs of 5n bits, where n denotes the output length of the underlying hash functions. In this paper we propose improved combiners with shorter outputs. By sacrificing the indifferentiability from random oracles we obtain a combiner which preserves all of the other aforementioned properties but with output length 2n only. This matches a lower bound for blackbox combiners for collisionresistance as the only property, showing that the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the IRO property, slightly increasing the output length to 2n + ω(log n). Finally, we show that a twist on our combiners also makes them robust for onewayness (but at the price of a fixed input length). 1
Robuster Combiners for Oblivious Transfer
"... Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong ass ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. A(k; n)robust combiner for a primitive F takes as input n candidate implementations of F and constructs an implementation of F, which is secure assuming that at least k of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong assumptions underlying the candidate schemes. In a recent work Harnik et al. (Eurocrypt 2005) have proposed a (2; 3)robust combiner for oblivious transfer (OT), and have shown that (1; 2)robust OTcombiners of a certain type are impossible. In this paper we propose new, generalized notions of combiners for twoparty primitives, which capture the fact that in many twoparty protocols the security of one of the parties is unconditional, or is based on an assumption independent of the assumption underlying the security of the other party. This finegrained approach results in OTcombiners strictly stronger than the constructions known before. In particular, we propose an OTcombiner which guarantees secure OT even when only one candidate is secure for both parties, and every remaining candidate is flawed for one of the parties. Furthermore, we present an efficient uniform OTcombiner, i.e., a single combiner which is secure simultaneously for a wide range of candidates ’ failures. Finally, our definition allows for a very simple impossibility result, which shows that the proposed OTcombiners achieve optimal robustness.