## Improved non-committing encryption schemes based on a general complexity assumption (2000)

### Cached

### Download Links

- [www.iacr.org]
- [www.brics.dk]
- [www.brics.dk]
- [www.daimi.au.dk]
- [www.brics.dk]
- [www.brics.dk]
- DBLP

### Other Repositories/Bibliography

Venue: | In CRYPTO'00, Springer-Verlag (LNCS 1880 |

Citations: | 23 - 2 self |

### BibTeX

@INPROCEEDINGS{Nielsen00improvednon-committing,

author = {Jesper Buus Nielsen},

title = {Improved non-committing encryption schemes based on a general complexity assumption},

booktitle = {In CRYPTO'00, Springer-Verlag (LNCS 1880},

year = {2000},

pages = {432--450},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Non-committing encryption enables the construction of multiparty computation protocols secure against an adaptive adversary in the computational setting where private channels between players are not assumed. While any non-committing encryption scheme must be secure in the ordinary semantic sense, the converse is not necessarily true. We propose a construction of non-committing encryption that can be based on any public-key system which is secure in the ordinary sense and which has an extra property we call simulatability. This generalises an earlier scheme proposed by Beaver based on the Diffie-Hellman problem, and we propose another implementation based on RSA. In a more general setting, our construction can be based on any collection of trapdoor permutations with a certain simulatability property. This offers a considerable efficiency improvement over the first non-committing encryption scheme proposed by Canetti et al. Finally, at some loss of efficiency, our scheme can be based on general collections of trapdoor permutations without the simulatability assumption, and without the common-domain assumption of Canetti et al. In showing this last result, we identify and correct a bug in a key generation protocol from Canetti et al. 1

### Citations

520 |
How to play any mental game or a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...t result, we identify and correct a bug in a key generation protocol from Canetti et al. 1 Introduction The problem of multiparty computation dates back to the papers by Yao [20] and Goldreich et al. =-=[15]-=-. What was proved there was basically that a collection of n players can e#ciently compute the value of an n-input function, such that everyone learns the correct result, but no other new information.... |

433 | Multiparty unconditionally secure protocols (extended abstract - Chaum, Crépeau, et al. |

392 | Security and Composition of Multi-party Cryptographic Protocol
- Canetti
(Show Context)
Citation Context ...or non-adaptive. # Basic Research in Computer Science, Centre of the Danish National Research Foundation. There are several di#erent proposals on how to define formally the security of such protocols =-=[19, 3, 8]-=-, but common to them all is the idea that security means that the adversary's view can be simulated e#ciently by a machine that has access to only those data that the adversary is entitled to know. Pr... |

162 |
Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ... proceeds as follows: Each player P i chooses at random two permutations (g i 0 , g i 1 ) and send these to S. Next S chooses c = 0 or 1 at random, and execute the oblivious transfer (OT) protocol of =-=[14]-=- with P i as sender using the trapdoors of (g i 0 , g i 1 ) as input and S as receiver using c as input, and such that S receives the trapdoor of g i c . The OT protocol of [14] has a non-binding prop... |

140 |
Foundations of secure interactive computing
- Beaver
- 1991
(Show Context)
Citation Context ...or non-adaptive. # Basic Research in Computer Science, Centre of the Danish National Research Foundation. There are several di#erent proposals on how to define formally the security of such protocols =-=[19, 3, 8]-=-, but common to them all is the idea that security means that the adversary's view can be simulated e#ciently by a machine that has access to only those data that the adversary is entitled to know. Pr... |

113 |
An efficient probabilistic public-key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1984
(Show Context)
Citation Context ...are computationally indistinguishable, where (i, ti) ← G and ĩ ← ˜ G. Given F a collection of trapdoor permutations one can construct a semantically secure public-key system using the construction in =-=[7]-=-. We review the construction here and observe that it preserves simulatability. Let B be a hard-core predicate of the collection of trapdoor permutations. If no such B is known one can construct a new... |

98 |
Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation
- Ben-Or, Goldwasser
- 1988
(Show Context)
Citation Context ...simulation in the case of [15] requires a complexity assumption, such as existence of trapdoor permutations. Later, unconditionally secure MPC protocols were proposed by Ben-Or et al. and Chaum et al.=-=[6, 10]-=-, in the model where private channels are assumed between every pair of players. These protocols are in fact secure, even if the adversary is adaptive, i.e. can choose dynamically throughout the proto... |

61 |
Zero-knowledge proofs of knowledge without interaction
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...uch generalisation appears to have been published before. The idea that it could be useful to generate a public key without knowing the secret key is not new. It seems to date back to De Santis et al.=-=[12]-=- where it was used in another context. The idea also appears in [9], but was only used there to improve the key generation procedure is some special cases (namely based on discrete logarithms and fact... |

57 |
Cryptographic protocols provably secure against dynamic adversaries
- Beaver, Haber
- 1992
(Show Context)
Citation Context ...s willing to trust that honest players can erase sensitive information such that the adversary can find no trace of it, should he break in, then such adaptive security can be obtained quite e#ciently =-=[5]-=-. Such secure erasure can be too much to hope for in realistic scenarios, and one would like to be able to do without them. But without erasure, protocols such as the one from [15] is not known to be ... |

53 | Security Preserving Amplification of Hardness
- Goldreich, Impagliazzo, et al.
- 1990
(Show Context)
Citation Context ... a prime larger than n, then x ## x e modn is a weak trapdoor permutation over Z # n (relative to assumption 1.) The same observation was used in [9], where they refer to general amplification results=-=[21, 13]-=- to obtain a collection of strong trapdoor permutations from this collection of weak ones. Here we apply an explicit amplification procedure, which is slightly more e#cient, and prove that it gives us... |

42 |
Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation
- Canetti, Uriel
- 1996
(Show Context)
Citation Context ...ut erasure, protocols such as the one from [15] is not known to be adaptively secure. The original simulation based security proof for [15] fails completely against an adaptive adversary. However, in =-=[9]-=-, Canetti et al. introduce a new concept called non-committing encryption and observe that if one replaces messages on the secure channels used in [6, 10] by non-committing encryptions sent on an open... |

33 |
How to generate factored random numbers
- Bach
- 1988
(Show Context)
Citation Context ...k log k)-bit number and d j = e -1 mod #(n j ). To compute d j the key-generator G must generate uniformly (or indistinguishably close to uniformly) random n j in such a way that #(n j ) is known. In =-=[2]-=- it was shown how to do this. An oblivious index (e, n 1 , . . . , n l ) # G is simply generated by picking e as before and picking the n j uniformly random. The only problem for G -1 in faking bits f... |

32 | Adaptively secure threshold cryptography: Introducing concurrency, removing erasures
- Jarecki, Lysyanskaya
- 2000
(Show Context)
Citation Context ...plaintext bit communicated. Subsequently, Beaver [4] proposed a much simpler scheme based on the Decisional Di#e-Hellman assumption (DDH) with expansion factor O(k). Recently, Jarecki and Lysyanskaya =-=[17]-=- have proposed an even more e#cient scheme also based on DDH with constant expansion factor, which however is only noncommitting if the receiver of a message is later corrupted. This is su#cient for t... |

23 |
An E cient Probabilistic Public-key Encryption Scheme Which Hides All
- Blum, Goldwasser
- 1985
(Show Context)
Citation Context ...are computationally indistinguishable, where (i, t i ) # G and i # G. Given F a collection of trapdoor permutations one can construct a semantically secure public-key system using the construction in =-=[7]-=-. We review the construction here and observe that it preserves simulatability. Let B be a hard-core predicate of the collection of trapdoor permutations. If no such B is known one can construct a new... |

21 |
Plug and play encryption
- Beaver
- 1997
(Show Context)
Citation Context ...ry's view before and after a player is corrupted. The scheme from [9] has expansion factor at least k 2 , i.e., it needs to send# (k 2 ) bits for each plaintext bit communicated. Subsequently, Beaver =-=[4]-=- proposed a much simpler scheme based on the Decisional Di#e-Hellman assumption (DDH) with expansion factor O(k). Recently, Jarecki and Lysyanskaya [17] have proposed an even more e#cient scheme also ... |

11 |
Damgård and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption
- Ivan
- 2000
(Show Context)
Citation Context ...on of the protocol with input m. A complete definition and a summary of previous definitional work appears in [8]. A sketch of the part of the model used in this paper appears in our technical report =-=[11]-=-. 5.1 The Main Idea S R c # {0, 1} d # {0, 1} rc # RK ed # RE r1-c # R K e 1-d # RC (Pc , Sc) # K(rc) P1-c # K(r1-c) P 0 ,P 1 ---------# Md #MP d M1-d #MP 1-d Cd # EP d (Md , ed ) C1-d # CP d (e1-d ) ... |