Results 1  10
of
32
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 611 (34 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
BoundedConcurrent Secure MultiParty Computation with a Dishonest Majority
 In Proc. 36th STOC
, 2004
"... We show how to securely realize any multiparty functionality in a way that preserves security under an apriori bounded number of concurrent executions, regardless of the number of corrupted parties. Previous protocols for the above task either rely on setup assumptions such as a Common Reference ..."
Abstract

Cited by 57 (17 self)
 Add to MetaCart
We show how to securely realize any multiparty functionality in a way that preserves security under an apriori bounded number of concurrent executions, regardless of the number of corrupted parties. Previous protocols for the above task either rely on setup assumptions such as a Common Reference String, or require an honest majority. Our constructions are in the plain model and rely on standard intractability assumptions (enhanced trapdoor permutations and collision resistant hash functions). Even though our main focus is on feasibility of concurrent multiparty computation we actually obtain a protocol using only a constant number of communication rounds. As a consequence our protocol yields the first construction of constantround standalone secure multiparty computation with a dishonest majority, proven secure under standard (polynomialtime) hardness assumptions; previous solutions to this task either require logarithmic roundcomplexity, or subexponential hardness assumptions. The core of our protocol is a novel construction of (concurrently) simulationsound zeroknowledge protocols, which might be of independent interest. Finally, we extend the framework constructed to give a protocol for secure multiparty (and thus twoparty) computation for any number of corrupted parties, which remains secure even when arbitrary subsets of parties concurrently execute the protocol, possibly with interchangeable roles. As far as we know, for the case of twoparty or multiparty protocols with a dishonest majority, this is the first positive result for any nontrivial functionality which achieves this property in the plain model.
Concurrent nonmalleable commitments
 In FOCS
, 2005
"... We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a ..."
Abstract

Cited by 34 (11 self)
 Add to MetaCart
We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a receiver, cannot make the values he commits to depend on the values he receives commitments to. Our result is achieved without assuming an apriori bound on the number of executions and without relying on any setup assumptions. Our construction relies on the existence of standard clawfree permutations and only requires a constant number of communication rounds. 1
Concurrent NonMalleable Commitments from Oneway Functions
, 2007
"... We show the existence of concurrent nonmalleable commitments based on the existence oneway functions. Our proof of security only requires the use of blackbox techniques, and additionally provides an arguably simplified proof of the existence of even standalone secure nonmalleable commitments. ..."
Abstract

Cited by 12 (7 self)
 Add to MetaCart
We show the existence of concurrent nonmalleable commitments based on the existence oneway functions. Our proof of security only requires the use of blackbox techniques, and additionally provides an arguably simplified proof of the existence of even standalone secure nonmalleable commitments.
NonMalleability Amplification
 In 41st STOC
, 2009
"... We show a technique for amplifying commitment schemes that are nonmalleable with respect to identities of length t, into ones that are nonmalleable with respect to identities of length Ω(2 t), while only incurring a constant overhead in roundcomplexity. As a result we obtain a construction of O(1 ..."
Abstract

Cited by 12 (8 self)
 Add to MetaCart
We show a technique for amplifying commitment schemes that are nonmalleable with respect to identities of length t, into ones that are nonmalleable with respect to identities of length Ω(2 t), while only incurring a constant overhead in roundcomplexity. As a result we obtain a construction of O(1) log ∗ nround (i.e., “essentially ” constantround) nonmalleable commitments from any oneway function, and using a blackbox proof of security.
Tight bounds for unconditional authentication protocols in the manual channel and shared key models
 IN ADVANCES IN CRYPTOLOGY  CRYPTO ’06
, 2006
"... We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiv ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ɛ < 1 there exists a log ∗ nround protocol for authenticating nbit messages, in which only 2 log(1/ɛ)+O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ɛ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ɛ) − O(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. We apply the proof technique above to obtain a lower bound of 2 log(1/ɛ) − 2 on the
ConstantRound Concurrent NonMalleable Zero Knowledge in the Bare PublicKey Model
"... One of the central questions in Cryptography is the design of roundefficient protocols that are secure under concurrent maninthemiddle attacks. In this paper we present the first constantround concurrent nonmalleable zeroknowledge argument system for NP in the Bare PublicKey model [Canetti e ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
One of the central questions in Cryptography is the design of roundefficient protocols that are secure under concurrent maninthemiddle attacks. In this paper we present the first constantround concurrent nonmalleable zeroknowledge argument system for NP in the Bare PublicKey model [Canetti et al. STOC 2000], resolving one of the major open problems in this area. To achieve our result, we introduce and study the notion of nonmalleable witness indistinguishability, which is of independent interest. Previous results either achieved relaxed forms of concurrency/security or needed stronger setup assumptions or required a nonconstant round complexity.
Concurrent NonMalleable Witness Indistinguishability and Its Applications
, 2006
"... One of the central questions in Cryptography today is proving security of the protocols "on the Internet", i.e., in a concurrent setting where there are multiple interactions between players, and where the adversary can play so called "maninthemiddle" attacks, forwarding and modifying messages ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
One of the central questions in Cryptography today is proving security of the protocols "on the Internet", i.e., in a concurrent setting where there are multiple interactions between players, and where the adversary can play so called "maninthemiddle" attacks, forwarding and modifying messages between two or more unsuspecting players. Indeed, the main challenge in this setting is to provide security with respect to adaptive concurrent composition of protocols and also the nonmalleability property, where the "maninthemiddle" attacks are prevented. Despite much research effort, we do not know how to implement many basic tasks in this setting (which features concurrent composition and maninthemiddle attacks). Indeed, even
Concurrent NonMalleable Zero Knowledge
, 2006
"... We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language in NP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol # such that for every polynomialtime adversary that can adaptively and concurrently schedule polynomially many executions of #, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomialtime simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier.
Constantround NonMalleable Commitment from Strong OneWay Functions
 In Crypto08, Springer LNCS 5157
, 2008
"... Abstract. We present a constantround nonmalleable commitment scheme based on the existence of subexponential oneway functions and using a blackbox proof of security. As far as we know, this is the first construction of a constantround nonmalleable protocol based on only onewayness, or to admi ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
Abstract. We present a constantround nonmalleable commitment scheme based on the existence of subexponential oneway functions and using a blackbox proof of security. As far as we know, this is the first construction of a constantround nonmalleable protocol based on only onewayness, or to admit a blackbox proof of security under any standardtype assumption.