## Complexity and Security of Distributed Protocols (1993)

Citations: | 19 - 0 self |

### BibTeX

@TECHREPORT{Franklin93complexityand,

author = {Matthew Keith Franklin},

title = {Complexity and Security of Distributed Protocols},

institution = {},

year = {1993}

}

### Years of Citing Articles

### OpenURL

### Abstract

This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graph-theoretic, and cryptographic techniques.

### Citations

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...gth k and some generator g of Z p k ), or equivalently that it has a hard bit. The difficulty of the discrete logarithm problem is a standard cryptographic assumption first used by Diffie and Hellman =-=[60] (on other-=- basic uses and hard bits of the discrete log, see [30, 106]). A "communicating p.p.t. Turing Machine" is like a normal p.p.t. Turing Machine (with a readonly input tape, write-only output t... |

1231 | The Byzantine Generals Problem
- Lamport, Shostak, et al.
- 1982
(Show Context)
Citation Context ...his section, the background definitions and concepts are presented for secure distributed computing. Two fundamental protocols are formally described: Oblivious Transfer [126] and Byzantine Agreement =-=[103]-=-. Some of the difficulties of formalizing security for protocols are discussed, along with some recent attempts to overcome these difficulties. 2.2.1 Protocol Definitions In this subsection, definitio... |

1198 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ... 2.2.2. Secret exchange [28] [31] [107] [89] [140] is a two-party protocol that transfers a message in each direction with certainty; it is discussed in more detail in Section 2.4.4. Electronic money =-=[38]-=- [39] is a collection of protocols (e.g, withdrawal, purchase, deposit) that implement payment schemes without any physical requirements. Secretballot election schemes [50] [19] [91] are essentially a... |

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ing, is discussed in Section 2.1.4. Coin flipping [26] is a two-party protocol that arrives at a common random bit; this was one of the earliest cryptographic protocols. Mental poker [133] [105] [51] =-=[85]-=- [141] [73] [52] [53] is a protocol for producing, and partially applying, a random permutation (i.e., shuffle and deal a deck of cards); as evidenced by the number of references, this problem was som... |

1113 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- ElGamal
- 1985
(Show Context)
Citation Context ...in the encryption. 5.4.1 Intuition of El-Gamal Based Scheme As shown by Desmedt and Frankel [59], it is possible to construct a joint encryption scheme from El-Gamal's method of public-key encryption =-=[64]-=-. Although blindable, this scheme is not xorhomomorphic, and thus not an additive joint encryption scheme. However, we can convert this into an additive joint encryption scheme for which the size of a... |

1047 | On the security of public-key protocols - Dolev, Yao - 1983 |

1041 | Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Rackoff
- 1989
(Show Context)
Citation Context ...hat the message it never sees has a certain form (i.e., that it embeds the customer's identity in the proper way). This can be done by combining the blind signature scheme with a zero knowledge proof =-=[86, 81] or "-=-cut-and-choose" check [125] that the message has the right form. The first off-line coin scheme, due to Chaum, Fiat, and Naor [43] takes this approach, using the blind signature scheme based on R... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...mmunication complexity of the protocol is independent of the computational complexity of the honest participants". In schemes which lead to practical implementations, like identification schemes =-=[69] [72]-=- and basic practical operations like signature and encryption, this is the case (the communication is a low-degree polynomial function of the security parameter and the input size). On the other hand,... |

673 |
Completeness theorems for non-cryptographic fault-tolerant distributed computation
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...tual secret. This primitive is also used extensively in the secure computation protocols given in this paper. To illustrate the idea, we describe a VSS scheme due to Ben-Or, Goldwasser, and Wigderson =-=[22]-=- that can correct up to t player errors, with no probability of errors, if n ? 3t. The dealer chooses a degree t polynomial p(x; y) in two variables x and y, such that the secret s = p(0; 0). Instead ... |

618 | Communication complexity
- Kushilevitz, Nisan
- 1997
(Show Context)
Citation Context ...c question addressed by this chapter is the "direct sum problem" for the communication complexity of secure computation (recently addressed in the "non-secure" setting by Feder, Ku=-=shilevitz, and Naor [68]), i.e., when can parallelizat-=-ion reduce the amortized complexity of secure computation? We show that the answer is "sometimes," "sometimes not," and "almost always," depending (of course) on security... |

604 |
How to generate cryptographically strong sequences of pseudorandom bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...s a hard bit. The difficulty of the discrete logarithm problem is a standard cryptographic assumption first used by Diffie and Hellman [60] (on other basic uses and hard bits of the discrete log, see =-=[30, 106]). A "-=-;communicating p.p.t. Turing Machine" is like a normal p.p.t. Turing Machine (with a readonly input tape, write-only output tape, read-only random tape, one or more work tapes), except that for e... |

471 | A randomized protocol for signing contracts
- Even, Goldreich, et al.
- 1985
(Show Context)
Citation Context ... r 6= r 0 1 . There are many other types of Oblivious Transfer that have all been shown to be equivalent to the simple one [34] [54] [55]. One important alternative is called "1-2 Oblivious Trans=-=fer" [65] (abbrevia-=-ted "1-2-OT"). In this version, player A begins with two secret bits b 0 and b 1 . Player B can choose to receive exactly one of these bits, without letting A know which bit was chosen. Obli... |

433 |
How to play ANY mental game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...ribution with non-zero probability. Assuming the intractability of factoring, Yao shows that every two-party interactive computational problem has a private protocol. Goldreich, Micali, and Wigderson =-=[82]-=- show how to weaken the intractability assumption from factoring to the existence of any trapdoor permutation. In fact, their protocol solves the following slightly different, but equivalent, problem ... |

431 |
Multiparty unconditionally secure protocols
- Chaum, Crépeau, et al.
- 1988
(Show Context)
Citation Context ...rotocols versus Passive Adversaries The first two papers suggesting general non-cryptographic distributed computation are by Ben-Or, Goldwasser and Wigderson [22], and by Chaum, Cr'epeau, and Damgard =-=[41]-=-. Both papers present protocols for t-private computation whenever n ? 2t. Provided that all players obey the protocols perfectly, no minority of players can pool their knowledge at the end of the pro... |

417 | Security Without Identification: Transaction Systems to make Big Brother Obsolete
- Chaum
- 1985
(Show Context)
Citation Context ...2. Secret exchange [28] [31] [107] [89] [140] is a two-party protocol that transfers a message in each direction with certainty; it is discussed in more detail in Section 2.4.4. Electronic money [38] =-=[39]-=- is a collection of protocols (e.g, withdrawal, purchase, deposit) that implement payment schemes without any physical requirements. Secretballot election schemes [50] [19] [91] are essentially a spec... |

376 |
Some simplified NP-complete graph problems
- Garey, Johnson, et al.
- 1976
(Show Context)
Citation Context ...: The decision problem for secure message transmission feasibility in the plug-in model is co-NP-complete Proof : The proof is by reduction from the complement of MIN EDGE-CUT INTO EQUALSIZED SUBSETS =-=[79]-=-. Let (G; k) be an instance of this latter decision problem, i.e., does there exist a set of fewer than k edges whose removal splits G = (V; E) into two subgraphs with jV j=2 nodes each? We construct ... |

375 | Theoretical improvements in algorithmic efficiency for network flow problems
- Edmonds, Karp
(Show Context)
Citation Context ...ified in a straightforward manner. The first phase of a two-phase protocol ends when y has received a critical additive share of the message about which the adversary has no information. 2 Claim 4.3 (=-=[63]-=-) The decision problem for secure message transmission feasibility in the graphonly model is in P. Example: Let G be a finite rectangular mesh, t = 2 bugs, p = p 0 = 4 input and output ports. Secure m... |

366 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ... functions ff k g is a family of functions h k : f0; 1g k ! f0; 1g such that determining h k (x) from f k (x) is as hard as determining x from f k (x) (or negligibly close, in k). Goldreich and Levin =-=[80] showed th-=-at every one-way function has a hard bit. The "Discrete Log Assumption" (DLA) is that exponentiation modulo a prime is a one-way function (i.e., where f k (x) = g x mod p k for some prime p ... |

313 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...t will be used for each instance of the O.A. protocol. Let sig be a signature scheme that is existentially unforgeable against a chosen message attack; such a scheme exists if one way functions exist =-=[116]-=- [130]. Let E be a symmetric-key encryption function, which also exists if one way functions exist[92, 93, 88]. row row link link wind half wind half window window \Delta \Delta \Delta \Delta \Delta \... |

311 |
Arthur-merlin Games: A Randomized Proof System, and a Hierarchy of Complexity classes
- Babai
- 1988
(Show Context)
Citation Context ...s a two-party protocol in which a "prover" conveys a convincing argument to a polynomially-bounded probabilistic "verifier;" this idea was introduced by Goldwasser, Micali, and Rac=-=koff [86] and Babai [4]-=-. More precisely, given a language L, an interactive proof system for L consists of two probabilistic interactive machines called the prover and the verifier that have access to a common input tape co... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...rs that might try to violate the protocol. The use of validation in secure distributed computation protocol will be seen in Sections 2.4.3 and 2.5.3. We also mention zero-knowledge proof of knowledge =-=[69]-=- [136], in which the verifier is convinced that the prover holds an undisclosed witness for language membership; these proof systems are also important in the context of protocol validation. 2.1.6 Sec... |

302 |
Minimum Disclosure Proofs of Knowledge
- Brassard, Crepeau
- 1988
(Show Context)
Citation Context ... unreadable by a polynomially bounded receiver under the QRA. Basic bit commitment requires that the receiver be polynomially-bounded. Another flavor of bit commitment, called "strong bit commitm=-=ent" [33]-=- [35] [115] allows the receiver to be unbounded. In this case, unreadability requires that the two probability distributions be (almost) identical. 2.1.5 Interactive Proof Systems and Zero-Knowledge P... |

300 | Wallet databases with observers - Chaum, Pedersen - 1992 |

260 | Untraceable electronic cash
- Chaum, Fiat, et al.
(Show Context)
Citation Context ...ied: anonymity of purchase for the customer, assurance of authenticity for the vendor, impossibility of undetected reuse or forgery for the bank. A coin scheme has the interesting "off-line"=-= property [43]-=- if the purchase protocol does not involve the bank; everyday non-digital money is of course off-line. To balance the customer's need for anonymity (so that her/his spendings, and thus her/his lifesty... |

255 |
Threshold cryptosystems
- Desmedt, Frankel
- 1989
(Show Context)
Citation Context ...f a secret key holder is distributed over a number of participants, was introduced by Desmedt [58]. Practical implementations of group-oriented public-key encryption were given by Desmedt and Frankel =-=[59]. (See als-=-o the related notion of fair public-key encryption [112].) We extend their implementations to achieve additional useful properties. Our scheme, which we call "additive joint encryption," can... |

234 | Bit Commitment Using Pseudorandomness
- Naor
- 1991
(Show Context)
Citation Context ...ol by Blum [27] for two-party coin flipping. A commitment by one party, followed by a guess by the second party, followed by a revelation by the first party, is equivalent to the flip of a coin. Naor =-=[114]-=- shows a general construction for basing bit commitment on any one-way function, based on earlier reductions [92] [88]. A more specific example of a bit commitment scheme is based on quadratic residuo... |

233 |
Founding cryptography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...ayers. In addition to other versions of Oblivious Transfer, more sophisticated protocols can be built from this primitive. In fact, secure distributed computation can be reduced to Oblivious Transfer =-=[96]-=- [15] [84], as will be discussed in later sections. To give a simpler reduction now, the following scheme, due to Cr'epeau [54], achieves bit commitment through oblivious transfer: 1. Player A chooses... |

200 |
Verifiable secret sharing and achieving simultaneity in the presence of faults
- Chor, Goldwasser, et al.
- 1985
(Show Context)
Citation Context ...ares during a "sharing phase," and the players interpolate to recover the secret during a "recovery phase." Verifiable secret sharing (VSS), first introduced by Chor, Goldwasser, M=-=icali, and Awerbuch [46]-=-, is a form of secret sharing in which cheating by the dealer and some of the players cannot prevent the honest players from receiving valid shares of some unique recoverable secret. More formally, a ... |

163 | Limits on the Provable Consequences of One-Way Permutations
- Impagliazzo, Rudich
- 1989
(Show Context)
Citation Context ...d hence necessary for secure computation. This paper also shows that Oblivious Transfer implies the existence of one-way functions. However, due to a relativization result from Impagliazzo and Rudich =-=[94], it is un-=-likely that the sufficiency of one-way functions for secure symmetric computation can be shown (i.e., a proof that only used one-way functions in a "black-box" manner would prove P 6= NP ). ... |

162 |
Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design
- Goldreich, Micali, et al.
- 1986
(Show Context)
Citation Context ...r player has non-secret data (or vice versa), then the problem of secure distributed computing reduces to a "minimum-knowledge" (or "zero-knowledge") circuit simulation, solved in =-=the general case by [81]-=-, and later improved by [95]. More will be said about zero-knowledge protocols in Section 2.1.5. Organization of the Chapter The next section of this chapter gives short descriptions of cryptographic ... |

160 |
Hiding instances in multioracle queries
- Beaver, Feigenbaum
- 1990
(Show Context)
Citation Context ...is logical [37], proving security with respect to some reasonable axiomatization. Lastly, we mention some general notions that are related to secure distributed computing. Instance-hiding schemes [1] =-=[13]-=- involve a weak computational agent exploiting one or more strong but untrusted computational agents to compute a function for secret inputs. When one player has a secret circuit and the other player ... |

138 |
Foundations of Secure Interactive Computing
- Beaver
- 1991
(Show Context)
Citation Context ...s for such a definition are described. A third proposed definition, due to Goldwasser and Levin [84], will not be discussed. One proposal to put this area on a more formal foundation is due to Beaver =-=[11]. He defin-=-es the idea of an "interface" to allow an adversary for one protocol to attack a second protocol; an interface is a Turing Machine that sends messages to the adversary and sends how-to-corru... |

135 |
Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority
- Beaver
- 1991
(Show Context)
Citation Context ...distributed computation versus an active adversary. The first two [22] [41] achieve t-resilience whenever there are n ? 3t players, assuming a complete private network of channels. The last two [128] =-=[12]-=- achieve t-resilience when n ? 2t, but require a broadcast channel in addition to a complete private network, and must allow a small probability of error. In the same paper that gave the protocol for ... |

130 | On Hiding Information from an Oracle
- Abadi, Feigenbaum, et al.
- 1989
(Show Context)
Citation Context ...ach is logical [37], proving security with respect to some reasonable axiomatization. Lastly, we mention some general notions that are related to secure distributed computing. Instance-hiding schemes =-=[1]-=- [13] involve a weak computational agent exploiting one or more strong but untrusted computational agents to compute a function for secret inputs. When one player has a secret circuit and the other pl... |

128 |
The complexity of searching a graph
- Meggido, Hakimi, et al.
- 1988
(Show Context)
Citation Context ...f untappable channels. Our work on distributed database maintenance shows reductions between privacy and generalizations of graph searching games, a topic that has received much attention (e.g., [36] =-=[110]-=- [100] [104] [25]). Organization: In Section 4.2, we give the basic model of eavesdropping games. We consider the problem of secure message transmission in Section 4.3, and distributed database mainte... |

120 |
How to Prove a Theorem so No One Else can Claim It
- Blum
- 1986
(Show Context)
Citation Context ...ence can be achieved by the verifier after a linear number of challenges. As an example of a cut-and-choose procedure, consider the following sketch of a zero-knowledge proof system for Hamiltonicity =-=[29]-=-. A Hamiltonian cycle in a graph is a set of edges that connects all vertices in a simple (non-self-intersecting) loop. Suppose that the prover wishes to convince the verifier that a graph G with n no... |

120 |
A robust and verifiable cryptographically secure election scheme
- Cohen, Fischer
- 1985
(Show Context)
Citation Context ...ion 2.4.4. Electronic money [38] [39] is a collection of protocols (e.g, withdrawal, purchase, deposit) that implement payment schemes without any physical requirements. Secretballot election schemes =-=[50]-=- [19] [91] are essentially a special case of secure computation in which the function is a simple sum of ones and zeros. Early work in the formalization of cryptographic protocols is also of interest.... |

115 |
D.: Non-Cryptographic Fault-Tolerant Computing in a Constant Number of Rounds of Interaction
- Bar-Ilan, Beaver
- 1989
(Show Context)
Citation Context ...ds on the running time of the programs. However, for most non-cryptographic protocols described in this paper, the programs for all players are polynomial-time (two exceptions are Bar-Ilan and Beaver =-=[6]-=- and Beaver, Feigenbaum, Kilian, and Rogaway [14]). Some minor variations in the definition of protocol appear in the literature. Two of these variations are mentioned at this time. The definition of ... |

113 |
One-way Functions are Essential for Complexity Based Cryptography. FOCS
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ...i.e., by xoring it with an inner product of the inverted value and a public random value), the weaker player can recover the secret exactly half the time. For the symmetric case, Impagliazzo and Luby =-=[93]-=- show that one-way functions are necessary for bit commitment, and hence necessary for secure computation. This paper also shows that Oblivious Transfer implies the existence of one-way functions. How... |

112 |
Coin flipping by telephone – a protocol for solving impossible problems
- Blum
- 1982
(Show Context)
Citation Context ... if the distributions of elements in the pre-image of zero and elements in the pre-image of one are indistinguishable to the receiver. The first bit commitment protocol was part of a protocol by Blum =-=[27]-=- for two-party coin flipping. A commitment by one party, followed by a guess by the second party, followed by a revelation by the first party, is equivalent to the flip of a coin. Naor [114] shows a g... |

109 | Achieving Oblivious Transfer Using Weakened Security Assumptions
- Crépeau, Kilian
- 1988
(Show Context)
Citation Context ... )) = (m \Phi b; r 0 2 ) if r = r 0 1 , and = (m; 1 \Phi r 0 2 ) if r 6= r 0 1 . There are many other types of Oblivious Transfer that have all been shown to be equivalent to the simple one [34] [54] =-=[55]. One important alte-=-rnative is called "1-2 Oblivious Transfer" [65] (abbreviated "1-2-OT"). In this version, player A begins with two secret bits b 0 and b 1 . Player B can choose to receive exactly o... |

109 |
Input-Indistinguishable Computation
- Micali, pass, et al.
- 2006
(Show Context)
Citation Context ...ion is that it provides a single unifying security measure, and that it facilitates modularity in both protocol design and proof of security. Another proposed formalization, due to Micali and Rogaway =-=[113], builds o-=-n the successful definition of the zero-knowledge property for interactive proof systems. They define a "simulator" for a protocol, which can interact with an adversary in place of the netwo... |

105 |
Secret sharing homomorphisms: keeping shares of a secret secret
- Benaloh
- 1986
(Show Context)
Citation Context ...ers perform some computation on these shares. Third, the results of this computation are combined to find the actual output. Nice homomorphic properties of Shamir shares (first pointed out by Benaloh =-=[18]-=-) make stage two possible: any linear combination of shares of secrets is itself a share of the linear combination of secrets. For example, if p(x) and p 0 (x) are otherwise random degree t polynomial... |

102 | Perfectly secure message transmission
- Dolev, Dwork, et al.
- 1990
(Show Context)
Citation Context ...nels that allow OT by some means), and in fact require no additional cryptographic assumptions. Some work has been done in the unconditional setting with incomplete networks of private channels [128] =-=[61]. Adversar-=-ies: A player is considered "correct" if it follows its program exactly, engaging in no additional communication or computation beyond what is specified by the protocol, and keeping all of i... |

98 |
Society and group oriented cryptography: A new concept
- Desmedt
- 1987
(Show Context)
Citation Context ...and Goldreich, Micali, and Wigderson [82]. The notion of group-oriented cryptography, in which the power of a secret key holder is distributed over a number of participants, was introduced by Desmedt =-=[58]-=-. Practical implementations of group-oriented public-key encryption were given by Desmedt and Frankel [59]. (See also the related notion of fair public-key encryption [112].) We extend their implement... |

97 |
Recontamination does not help to search a graph
- LaPaugh
- 1993
(Show Context)
Citation Context ... channels. Our work on distributed database maintenance shows reductions between privacy and generalizations of graph searching games, a topic that has received much attention (e.g., [36] [110] [100] =-=[104]-=- [25]). Organization: In Section 4.2, we give the basic model of eavesdropping games. We consider the problem of secure message transmission in Section 4.3, and distributed database maintenance in Sec... |

95 | Fair Computation of General Functions in Presence of Immoral Majority
- Goldwasser, Levin
- 1990
(Show Context)
Citation Context ...addition to other versions of Oblivious Transfer, more sophisticated protocols can be built from this primitive. In fact, secure distributed computation can be reduced to Oblivious Transfer [96] [15] =-=[84]-=-, as will be discussed in later sections. To give a simpler reduction now, the following scheme, due to Cr'epeau [54], achieves bit commitment through oblivious transfer: 1. Player A chooses random b ... |

90 | The Round Complexity of Secure Protocols
- Beaver, Micali, et al.
- 1990
(Show Context)
Citation Context ...eries, polynomial interpolation, notarized envelope schemes, and majority-voting all have log-depth circuits, and so all are available as subprotocols in this way. Lastly, Beaver, Micali, and Rogaway =-=[16]-=- show that constant-round poly-sized computation, resilient for a constant fraction of faulty processors, is achievable assuming that one-way functions exist. The protocol, a generalization of the two... |

85 |
Monotonicity in graph searching
- Bienstock, Seymour
- 1991
(Show Context)
Citation Context ...els. Our work on distributed database maintenance shows reductions between privacy and generalizations of graph searching games, a topic that has received much attention (e.g., [36] [110] [100] [104] =-=[25]-=-). Organization: In Section 4.2, we give the basic model of eavesdropping games. We consider the problem of secure message transmission in Section 4.3, and distributed database maintenance in Section ... |

80 |
Limits on the security of coin flips when half the processors are faulty
- Cleve
- 1986
(Show Context)
Citation Context ...ivate protocol, ns2t, then it has an (n \Gamma 1)-private protocol. Moreover, every such n-ary function is equivalent to an xor of n single-input functions. For the case of an active adversary, Cleve =-=[48]-=- has impossibility results for the much simpler problem of computing a single random bit. When at least half of the processors are faulty, it is impossible to compute a random bit in polynomial time w... |