. A key element of any mobile code based distributed system are the security mechanisms available to protect (a) the host against potentially hostile actions of a code fragment under execution and (b) the mobile code against tampering attempts by the executing host. Many techniques for the first problem (a) have been developed. The second problem (b) seems to be much harder: It is the general belief that computation privacy for mobile code cannot be provided without tamper resistant hardware. Furthermore it is doubted that an agent can keep a secret (e.g., a secret key to generate digital signatures). There is an error in reasoning in the arguments supporting these beliefs which we are going to point out. In this paper we describe software-only approaches for providing computation privacy for mobile code in the important case that the mobile code fragment computes an algebraic circuit (a polynomial). We further describe an approach how a mobile agent can digitally sign his...

Mobile code technology has become a driving force for recent advances in distributed systems. The concept of mobility of executable code raises major security problems. In this paper we deal with the protection of mobile code from possibly malicious hosts. We conceptualize on the specific cryptographic problems posed by mobile code. We are able to provide a solution for some of these problems: We present techniques how to achieve "non--interactive computing with encrypted programs" in certain cases and give a complete solution for this problem in important instances. We further present a way how an agent might securely perform a cryptographic primitive, digital signing, in an untrusted execution environment. Our results are based on the use of homomorphic encryption schemes and function composition techniques. ii 1 Introduction The security of the execution environment is a basic cornerstone of cryptographic systems: the parties which perform a cryptographic protocol require a tru...

This paper investigates one-round secure computation between two distrusting parties: Alice and Bob each have private inputs to a common function, but only Alice, acting as the receiver, is to learn the output; the protocol is limited to one message from Alice to Bob followed by one message from Bob to Alice. A model in which Bob may be computationally unbounded is investigated, which corresponds to informationtheoretic security for Alice. It is shown that 1. for honest-but-curious behavior and unbounded Bob, any function computable by a polynomial-size circuit can be computed securely assuming the hardness of the decisional Diffie-Hellman problem; 2. for malicious behavior by both (bounded) parties, any function computable by a polynomial-size circuit can be computed securely, in a public-key framework, assuming the hardness of the decisional Diffie-Hellman problem.

The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic two-party case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC

The pioneering and well-known work of Burrows, Abadi and Needham (the BAN logic) which dominates the area of security protocol analysis is shown to take an approach which is not fully formal and which consequently permits approval of dangerous protocols. Measures to make the BAN logic formal are then proposed. The formalisation is found to be desirable not only for its potential in providing rigorous analysis of security protocols, but also for its readiness for supporting a computer-aided fashion of analysis. 1 Introduction A security protocol such as one for distributing cryptographic keys is essentially a few lines of a specification of a program. Its analysis can therefore be considered as analogous to the correctness verification of such a program. However, unlike the case of running a computer program, where the user naturally bears an intention to follow the instruction so to avoid potential bugs, the main objective of a dishonest user during a run of a security protocol is to ...

In this paper homomorphic cryptosystems are designed for the first time over any finite group. Applying Barrington's construction we produce for any boolean circuit of the logarithmic depth its encrypted simulation of a polynomial size over an appropriate finitely generated group.

In this paper we describe a method to compute with encrypted rational numbers.

The purpose of the paper is to give new key agreement protocols (a multi-party extension of the protocol due to Anshel-Anshel-Goldfeld and a generalization of the Diffie-Hellman protocol from abelian to solvable groups) and a new homomorphic public-key cryptosystem. They rely on difficulty of the conjugacy and membership problems for subgroups of a given group. To support these and other known cryptographic schemes we present a general technique to produce a family of instances being matrix groups (over finite commutative rings) which play a role for these schemes similar to the groups Z ∗ n in the existing cryptographic constructions like RSA or discrete logarithm. Partially supported by RFFI, grants, 03-01-00349, NSH-2251.2003.1. The paper was done during the

. The linearity of "check vectors" -- a technique of secure distributed computation -- gives an efficient solution to the problem of blind weak signatures (where a weak signature requires the on-line participation of a third party [17]). We refine aspects of the notion of "blinding a signature," and apply our weak schemes to on-line digital cash and other problems. The protocols we present are distinctly short, simple, and of low complexity. 1 Introduction Blind signature schemes, as introduced by Chaum [4], allow a message holder to obtain a signature without disclosing the contents of the message to the signer. In this paper, we explore the possibility of blind signature without any cryptographic assumptions at all. This may seem an unlikely prospect, since any secure signature scheme -- blind or otherwise -- requires some intractability assumptions (one-way functions) [13]. However, what is true for standard signature schemes is not true for "weak" signature schemes. Weak signature...

We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of “Computing with Encrypted Data” that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an on-line stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.