## Universally Composable Two-Party and Multi-Party Secure Computation (2002)

### Cached

### Download Links

- [www.argreenhouse.com]
- [www.argreenhouse.com]
- [eprint.iacr.org]
- [www.research.ibm.com]
- [www.cs.ucla.edu]
- [www.research.ibm.com]
- DBLP

### Other Repositories/Bibliography

Citations: | 139 - 33 self |

### BibTeX

@MISC{Canetti02universallycomposable,

author = {Ran Canetti and Yehuda Lindell and Rafail Ostrovsky and Amit Sahai},

title = {Universally Composable Two-Party and Multi-Party Secure Computation},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

We show how to securely realize any two-party and multi-party functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multi-party network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies non-malleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.

### Citations

1241 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ent protocols are protocols that securely realize the ideal commitment functionality [12]. Existing constructions [12, 17] are based on stronger computational assumptions.) Our scheme uses tools from =-=[35, 26, 11, 12, 23, 46]-=-. Next, plugging the new scheme into the UC zero-knowledge protocol of [12] (which assumes access to the ideal commitment functionality), we obtain an adaptively secure UC zero-knowledge protocol in t... |

1086 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
- 1985
(Show Context)
Citation Context ...m statements, and simplied the design and analysis of protocols. Indeed, this relatively simple model is a natural choice for the initial study of protocols. Some of the many works in this model are [=-=43, 4, 25, 36, 47, 33, 28, 3, 15, 2, 34, 38, 44, 31-=-]. IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. email: canetti@watson.ibm.com y Department of Computer Science, The Weizmann Institute of Science, Rehovot 76100, Isra... |

723 |
Completeness theorems for non cryptographic fault tolerant distributed computation, 20th STOC
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...m statements, and simplied the design and analysis of protocols. Indeed, this relatively simple model is a natural choice for the initial study of protocols. Some of the many works in this model are [=-=43, 4, 25, 36, 47, 33, 28, 3, 15, 2, 34, 38, 44, 31-=-]. IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. email: canetti@watson.ibm.com y Department of Computer Science, The Weizmann Institute of Science, Rehovot 76100, Isra... |

670 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...is designed and analyzed as \stand alone", and security in a multi-execution environment is guaranteed via a secure composition theorem. recently proposed framework of universally composable secu=-=rity [10] whi-=-ch builds and extends on many previous works, e.g. [40, 9]. Here a generic denition is given for what it means for a protocol to \securely realize a given ideal functionality," where an \ideal fu... |

538 |
How to Play Any Mental Game, or: A completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...m statements, and simplied the design and analysis of protocols. Indeed, this relatively simple model is a natural choice for the initial study of protocols. Some of the many works in this model are [=-=43, 4, 25, 36, 47, 33, 28, 3, 15, 2, 34, 38, 44, 31-=-]. IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. email: canetti@watson.ibm.com y Department of Computer Science, The Weizmann Institute of Science, Rehovot 76100, Isra... |

503 | A Randomized Protocol for Signing Contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context |

473 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...on environments is to explicitly incorporate these threats into the security model and analysis. Such an approach was taken, for instance, in the cases of non-malleable commitments and zero-knowledge =-=[23, 20, 46, 21, 19]-=-, and concurrent composition of zeroknowledge and oblivious transfer protocols [24, 45, 29]. However, this approach is inherently limited since it needs to explicitly address each new concern, whereas... |

415 | Security and Composition of Multi-party Cryptographic Protocols. To appear in the Journal of Cryptology. Available from the Theory of Cryptography Library at http://philby.ucsd.edu/cryptlib
- Canetti
- 1998
(Show Context)
Citation Context ...a multi-execution environment is guaranteed via a secure composition theorem. recently proposed framework of universally composable security [10] which builds and extends on many previous works, e.g. =-=[40, 9]. Here a -=-generic denition is given for what it means for a protocol to \securely realize a given ideal functionality," where an \ideal functionality" is a natural algorithmic way for capturing the de... |

390 | Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems - Goldreich, Micali, et al. - 1991 |

386 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...yption schemes, and in particular for the scheme of [ddn00]. For the second encryption scheme, denoted E, we use the standard encryption scheme based on trapdoor-permutations and hard-core predicates =-=[gl89]-=-, where the public key is a trapdoor permutation f , and the private key is f -1 . Here encryption of a bit b is f(x) where x is a randomly chosen element such that the hard-core predicate of x is b. ... |

317 |
How to Exchange Secrets by Oblivious Transfer
- Rabin
- 1981
(Show Context)
Citation Context |

270 | Ben-Or: Verifiable Secret Sharing and Multiparty Protocols with Honest Majority - Rabin, Michael - 1989 |

199 | Non-Interactive Zero-Knowledge - Blum, Santis, et al. - 1991 |

190 | Foundations of Cryptography: Volume 2 – Basic Applications - Goldreich - 2004 |

176 | Multiple non-interactive zero knowledge proofs based on a single random string - Feige, Lapidot, et al. - 1990 |

173 | Concurrent zero-knowledge - Dwork, Naor, et al. - 2004 |

162 | Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security
- Sahai
- 1999
(Show Context)
Citation Context ...on environments is to explicitly incorporate these threats into the security model and analysis. Such an approach was taken, for instance, in the cases of non-malleable commitments and zero-knowledge =-=[23, 20, 46, 21, 19]-=-, and concurrent composition of zeroknowledge and oblivious transfer protocols [24, 45, 29]. However, this approach is inherently limited since it needs to explicitly address each new concern, whereas... |

151 | Universally Composable Commitments - Canetti, Fischlin - 2001 |

146 | Composition and Integrity Preservation of Secure Reactive Systems
- Pfitzmann, Waidner
- 2000
(Show Context)
Citation Context ...ty of protocols is preserved under a general composition operation with an unbounded number of copies of arbitrary protocols running concurrently in the system. As in other general definitions (e.g., =-=[34, 40, 1, 42, 9]-=-), the security requirements of a given task (i.e., the functionality expected from a protocol that carries out the task) are captured via a set of instructions for a “trusted party” that obtains the ... |

141 |
Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority
- Beaver
- 1991
(Show Context)
Citation Context ...ity of protocols is preserved under a general composition operation with an unbounded number of copies of arbitrary protocols running concurrently in the system. As in other general denitions (e.g., [=-=34, 40, 1, 42, 9]), th-=-e security requirements of a given task (i.e., the functionality expected from a protocol that carries out the task) are captured via a set of instructions for a \trusted party" that obtains the ... |

128 | to Prove a Theorem So No One Else Can Claim It
- Blum
- 1986
(Show Context)
Citation Context ...le. Simplied Feige-Shamir Commitment. We brie y describe a simplied version of the Feige-Shamir trapdoor commitment scheme [26], which is based on the zero-knowledge proof for Hamiltonicity of Blum [5=-=]-=-. First, a graph G (with q nodes) is found, so that it is hard tosnd a Hamiltonian cycle in G within polynomial-time. This is achieved as follows: choose x 2R f0; 1g k and compute y = f(x), where f is... |

123 |
Non-interactive zero-knowledge and its applications
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...el all parties are given a common, public reference string that is ideally chosen from a given distribution. This model was originally proposed in the context of non-interactive zero-knowledge proofs =-=[bfm88]-=- and since then has proved useful in other cases as well.) 1 Our results. Loosely speaking, we show that any functionality can be realized in a universally composable way, in the CRS model, regardless... |

117 | On the Concurrent Composition of Zero-Knowledge Proofs
- Richardson, Kilian
- 1999
(Show Context)
Citation Context ...ch an approach was taken, for instance, in the cases of non-malleable commitments and zero-knowledge [23, 20, 46, 21, 19], and concurrent composition of zeroknowledge and oblivious transfer protocols =-=[24, 45, 29]-=-. However, this approach is inherently limited since it needs to explicitly address each new concern, whereas in a realistic network setting, the threats may be unpredictable. Furthermore, it inevitab... |

110 | Zero knowledge proofs of knowledge in two rounds - Feige, Shamir |

102 |
Foundations of Cryptography: Volume 1 – Basic Tools
- Goldreich
- 2001
(Show Context)
Citation Context ...ote by C(w; r) a commitment to a string w using a random string r. For simplicity, we use a non-interactive commitment scheme. Such schemes exist assuming the existence of 1--1 one-way functions, see =-=[g01]-=-. (Alternatively, we could use the Naor scheme [n91] that can be based on any one-way function, rather than requiring 1--1 one-way functions. In this scheme, the receiver sends an initial message and ... |

92 |
Coin flipping by telephone
- Blum
- 1982
(Show Context)
Citation Context ... statements, and simplified the design and analysis of protocols. Indeed, this relatively simple model is a natural choice for the initial study of protocols. Some of the many works in this model are =-=[43, 4, 25, 36, 47, 33, 28, 3, 15, 2, 34, 38, 44, 31]-=-. ∗IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, NY 10598, USA. email: canetti@watson.ibm.com †Department of Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel... |

87 | Adaptively secure multi-party computation
- Canetti, Feige, et al.
- 1996
(Show Context)
Citation Context ...securely realize F ot in the semi-honest case. In the non-adaptive case, the protocol of [egl85, g98] su#ces. In the adaptive case, our protocol uses an augmented version of non-committing encryption =-=[cfgn96]-=-. The augmentation consists of two additional properties. First, the encryption scheme should have an alternative key generation algorithm that 6 generates only public encryption keys without the corr... |

86 |
Fair Computation of General Functions
- Goldwasser, Levin
- 1990
(Show Context)
Citation Context ...ity of protocols is preserved under a general composition operation with an unbounded number of copies of arbitrary protocols running concurrently in the system. As in other general denitions (e.g., [=-=34, 40, 1, 42, 9]), th-=-e security requirements of a given task (i.e., the functionality expected from a protocol that carries out the task) are captured via a set of instructions for a \trusted party" that obtains the ... |

77 | Multiparty Computation with Faulty Majority
- Beaver, Goldwasser
- 1989
(Show Context)
Citation Context |

68 |
Zero-knowledge proofs of knowledge without interaction
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...y distributed (but is rather taken from some di#erent distribution). If a uniformly distributed common reference string is to be used, then we additionally assume the existence of dense cryptosystems =-=[dp92]-=-. Related work. In a concurrent and independent work [dn01], Damgard and Nielsen consider a functionality that has great resemblance to our commit-and-prove functionality, and construct universally co... |

65 | Non-interactive and non-malleable commitment - Crescenzo, Ishai, et al. - 1998 |

59 |
Secure Computation. Unpublished manuscript
- Micali, Rogaway
- 1992
(Show Context)
Citation Context ...a multi-execution environment is guaranteed via a secure composition theorem. recently proposed framework of universally composable security [10] which builds and extends on many previous works, e.g. =-=[40, 9]. Here a -=-generic denition is given for what it means for a protocol to \securely realize a given ideal functionality," where an \ideal functionality" is a natural algorithmic way for capturing the de... |

54 | Foundations of Cryptography: Volume I Basic Tools - Goldreich - 2001 |

52 | Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor
- Damg̊ard, Nielsen
- 2002
(Show Context)
Citation Context ...otocol in the CRS model, assuming only existence of trapdoor permutations. (UC commitment protocols are protocols that securely realize the ideal commitment functionality [12]. Existing constructions =-=[12, 17]-=- are based on stronger computational assumptions.) Our scheme uses tools from [35, 26, 11, 12, 23, 46]. Next, plugging the new scheme into the UC zero-knowledge protocol of [12] (which assumes access ... |

45 | General composition and universal composability in secure multi-party computation
- Lindell
- 2003
(Show Context)
Citation Context ...lain model [ckl03]. Thus, some setup assumption, like that of a common reference string assumed here, is essential for obtaining UC security in the case of no honest majority. Another subsequent work =-=[l03]-=- has shown that the impossibility results of [ckl03] hold for any definition that implies security under the composition operation considered by the UC framework. Thus, in the plain model and with no ... |

43 | Secure Computation Without Agreement - Goldwasser, Lindell |

41 | of randomness in algorithms and protocols - Kilian, Uses - 1990 |

38 |
Bit Commitment using Pseudorandom Generators
- Naor
- 1991
(Show Context)
Citation Context ...e that the commitment scheme aHCG can be implemented using one-way functions only. In order for this to be the case, the underlying Com commitment used in aHCG is replaced by the commitment scheme of =-=[41]-=-, that can be based on any one-way function. Indeed, the [41] scheme produces random-looking commitments, as required by aHCG . In addition, we modify the protocol so that B also sends the receiver me... |

36 |
Secure Multi-Party Computation. Manuscript. Preliminary version
- Goldreich
- 1998
(Show Context)
Citation Context |

31 | On the Composition of Authenticated Byzantine Agreement
- Lindell, Lysysanskaya, et al.
(Show Context)
Citation Context ...nous broadcast channel among themselves. No global synchronization is otherwise assumed. (Such synchronization and authentication primitives can be achieved using standard methods, see discussions in =-=[10, 39]-=-. In particular, in the case of twoparty protocols these assumptions fall back to a standard asynchronous, pairwise, authenticated network.) Outline of the construction. Our construction follows the g... |

24 | Improved non-committing encryption schemes based on a general complexity assumption
- Damg̊ard, Nielsen
- 2000
(Show Context)
Citation Context ...malicious) we assume the existence of trapdoor permutations only. For the adaptive, semi-honest case we additionally assume the existence of obliviously generatable public-key encryptionschemes as in =-=[22, 16]-=- where public keys can be generated without knowing the corresponding private keys. Alternatively, if we assume existence of dense cryptosystems [22] (where public key is uniformly distributed), a req... |

21 | Plug and play encryption - Beaver - 1997 |

20 | Concurrent oblivious transfer - Garay, MacKenzie - 2000 |

18 |
Composition and integrity preservation of secure reactive systems
- P¯tzmann, Waidner
- 2000
(Show Context)
Citation Context ...ity of protocols is preserved under a general composition operation with an unbounded number of copies of arbitrary protocols running concurrently in the system. As in other general denitions (e.g., [=-=34, 40, 1, 42, 9]), th-=-e security requirements of a given task (i.e., the functionality expected from a protocol that carries out the task) are captured via a set of instructions for a \trusted party" that obtains the ... |

16 | Public-key encryption in a multi-user setting - Bellare, Boldyreva, et al. - 2000 |

12 |
Verifiable Secret Sharing and Multi-party
- Rabin, Ben-Or
- 1989
(Show Context)
Citation Context |

10 |
Non-interactive zero-knowledge and its applications. STOC 88
- Blum, Feldman, et al.
(Show Context)
Citation Context ... all parties are given a common, public reference string that was ideally chosen from a given distribution. This notion was originally proposed in the context of non-interactive zero-knowledge proofs =-=[6]-=- and since then proved useful in other cases as well.) Our results. We show that any functionality can be realized in a universally composable way, in the CRS model and under general cryptographic ass... |

9 | Universal composition with joint state. Cryptology ePrint Archive, report 2002/47 - Canetti, Rabin - 2003 |

8 | How to generate and exchange secrets, FOCS - Yao - 1986 |

7 |
Reducibility and Completeness
- Kushilevitz, Micali, et al.
(Show Context)
Citation Context |