Results 1  10
of
17
Adaptive Hardness and Composable Security in the Plain Model from Standard Assumptions
"... Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permuta ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
(Show Context)
Abstract—We construct the first general secure computation protocols that require no trusted infrastructure other than authenticated communication, and that satisfy a meaningful notion of security that is preserved under universal composition— assuming only the existence of enhanced trapdoor permutations. The notion of security fits within a generalization of the “angelbased” framework of Prabhakaran and Sahai (STOC’04) and implies superpolynomial time simulation security. Security notions of this kind are currently known to be realizable only under strong and specific hardness assumptions. A key element in our construction is a commitment scheme that satisfies a new and strong notion of security. The notion, security against chosencommitmentattacks (CCA security), means that security holds even if the attacker has access to a extraction oracle that gives the adversary decommitment information to commitments of the adversary’s choice. This notion is stronger than concurrent nonmalleability and is of independent interest. We construct CCAsecure commitments based on standard oneway functions, and with no trusted setup. To the best of our knowledge, this provides the first construction of a natural cryptographic primitive requiring adaptive hardness from standard hardness assumptions, using no trusted setup or public keys. Keywordscryptography; adaptive hardness; secure multiparty computation; composable security I.
ConstantRound NonMalleable Commitments from Any OneWay Function
, 2011
"... We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the strong ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the stronger notions of concurrent nonmalleability and robustness. As a corollary, we establish that constantround nonmalleable zeroknowledge arguments for NP can be based on oneway functions and constantround secure multiparty computation can be based on enhanced trapdoor permutations; also here, earlier protocols additionally required either collisionresistant hash functions or subexponential oneway functions.
Constantround NonMalleable Commitment from Strong OneWay Functions
 In Crypto08, Springer LNCS 5157
, 2008
"... Abstract. We present a constantround nonmalleable commitment scheme based on the existence of subexponential oneway functions and using a blackbox proof of security. As far as we know, this is the first construction of a constantround nonmalleable protocol based on only onewayness, or to admi ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present a constantround nonmalleable commitment scheme based on the existence of subexponential oneway functions and using a blackbox proof of security. As far as we know, this is the first construction of a constantround nonmalleable protocol based on only onewayness, or to admit a blackbox proof of security under any standardtype assumption.
CSCL Theories
, 1996
"... We present a unified framework for obtaining Universally Composable (UC) protocols by relying on standalone secure nonmalleable commitments. Essentially all results on concurrent secure computation—both in relaxed models (e.g., quasipolynomial time simulation), or with trusted setup assumptions ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
We present a unified framework for obtaining Universally Composable (UC) protocols by relying on standalone secure nonmalleable commitments. Essentially all results on concurrent secure computation—both in relaxed models (e.g., quasipolynomial time simulation), or with trusted setup assumptions (e.g., the CRS model, the imperfect CRS model, or the timing model)—are obtained as special cases of our framework. This not only leads to conceptually simpler solutions, but also to improved setup assumptions, roundcomplexity, and computational assumptions. Additionally, this framework allows us to consider new relaxed models of security: we show that UC security where the adversary is a uniform PPT but the simulator is allowed to be a nonuniform PPT (i.e., essentially, traditional UC security, but with a nonuniform reduction) is possible without any trusted setup. This gives the first results on concurrent secure computation without setup, which can be used for securely computing “computationallysensitive” functionalities (e.g., database queries, “proof of work”protocols, or playing bridge on the Internet). Categories and Subject Descriptors F.1.2 [Theory of Computation]: Interactive and reactive computation
Concurrent NonMalleable Zero Knowledge with Adaptive Inputs
"... Abstract. Concurrent nonmalleable zeroknowledge (CNMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and verifiers. We provide the first construction of a CNMZK protocol that, without any trusted setup, ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Concurrent nonmalleable zeroknowledge (CNMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and verifiers. We provide the first construction of a CNMZK protocol that, without any trusted setup, remains secure even if the attacker may adaptively select the statements to receive proofs of; previous works only handle scenarios where the statements are fixed at the beginning of the execution, or chosen adaptively from a restricted set of statements. 1
Concurrently Secure Computation in Constant Rounds ∗
"... We study the problem of constructing concurrently secure computation protocols in the plain model, where no trust is required in any party or setup. While the well established UC framework for concurrent security is impossible to achieve in this setting, meaningful relaxed notions of concurrent secu ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We study the problem of constructing concurrently secure computation protocols in the plain model, where no trust is required in any party or setup. While the well established UC framework for concurrent security is impossible to achieve in this setting, meaningful relaxed notions of concurrent security have been achieved. The main contribution of our work is a new technique useful for designing protocols in the concurrent setting (in the plain model). The core of our technique is a new rewindingbased extraction procedure which only requires the protocol to have a constant number of rounds. We show two main applications of our technique. We obtain the first concurrently secure computation protocol in the plain model with superpolynomial simulation (SPS) security that uses only a constant number of rounds and requires only standard assumptions. In contrast, the only previously known result (Canetti et al., FOCS’10) achieving SPS security based on standard assumptions requires polynomial number of rounds. Our second contribution is a new definition of input indistinguishable computation (IIC) and a constant round protocols satisfying that definition. Our definition of input indistinguishable computation is a simplification and strengthening of the definition of Micali et al. (FOCS’06) in various directions. Most notably, our definition provides meaningful security guarantees even for randomized functionalities. Interestingly, we show that in fact the same protocol satisfies both the SPS and the IIC security notions. This is a preliminary version of our EUROCRYPT’12 paper.
CONCURRENT SECURITY
, 2012
"... Traditionally, cryptographic protocols are analyzed in a “standalone” setting, where a single protocol execution takes place in isolation. In the age of the Internet, however, a great number of executions of different protocols coexist and are tightly interconnected. This concurrency severely und ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Traditionally, cryptographic protocols are analyzed in a “standalone” setting, where a single protocol execution takes place in isolation. In the age of the Internet, however, a great number of executions of different protocols coexist and are tightly interconnected. This concurrency severely undermines the foundation of the traditional study of cryptography. Since the early 90’s, it has been an important theme in cryptography to address security in such concurrent setting. However, till recently, no satisfactory solutions were proposed for performing general tasks in a concurrently secure way. In this thesis, we resolve “concurrent security”—we exhibit a construction of cryptographic protocols for general tasks that remain secure even in concurrent settings like the Internet. Different from previous works, our construction does not rely on any trusted infrastructure or strong hardness assumptions. As such, our construction broadens the applicability of cryptography by enabling it in more realistic settings and weakening the preconditions it is based on. Beyond the general feasibility result, we also significantly improve the efficiency
Unprovable Security of Perfect NIZK and Noninteractive Nonmalleable Commitments
, 2012
"... We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statem ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical (and thus also perfect) NIZK for N P based on any “standard ” intractability assumptions. • Blackbox reductions cannot be used to demonstrate nonmalleability of noninteractive, or even 2message, commitment schemes based on any “standard ” intractability assumptions. We emphasize that the above separations apply even if the construction of the considered primitives makes a nonblackbox use of the underlying assumption. As an independent contribution, we suggest a taxonomy of gamebased intractability assumption based on 1) the security threshold, 2) the number of communication rounds in the security game, 3) the computational complexity of the game challenger, 4) the communication complexity of the challenger, and 5) the computational complexity of the security reduction.
Concurrent nonmalleable zero knowledge proofs
 In CRYPTO
, 2010
"... Abstract. Concurrent nonmalleable zeroknowledge (NMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and verifiers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the first construction of a conc ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Concurrent nonmalleable zeroknowledge (NMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and verifiers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the first construction of a concurrent NMZK protocol without any setup assumptions. Their protocol, however, is only computationally sound (a.k.a., a concurrent NMZK argument). In this work we present the first construction of a concurrent NMZK proof without any setup assumptions. Our protocol requires poly(n) rounds assuming oneway functions, or Õ(log n) rounds assuming collisionresistant hash functions. As an additional contribution, we improve the round complexity of concurrent NMZK arguments based on oneway functions (from poly(n) to Õ(log n)), and achieve a near linear (instead of cubic) security reductions. Taken together, our results close the gap between concurrent ZK protocols and concurrent NMZK protocols (in terms of feasibility, round complexity, hardness assumptions, and tightness of the security reduction). 1
ConstantRound BlackBox Construction of Composable MultiParty Computation Protocol?
"... Abstract. We present the first general MPC protocol that satisfies the following: (1) the construction is blackbox, (2) the protocol is universally composable in the plain model, and (3) the number of rounds is constant. The security of our protocol is proven in angelbased UC security under the a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present the first general MPC protocol that satisfies the following: (1) the construction is blackbox, (2) the protocol is universally composable in the plain model, and (3) the number of rounds is constant. The security of our protocol is proven in angelbased UC security under the assumption of the existence of oneway functions that are secure against subexponentialtime adversaries and constantround semihonest oblivious transfer protocols that are secure against quasipolynomialtime adversaries. We obtain the MPC protocol by constructing a constantround CCAsecure commitment scheme in a blackbox way under the assumption of the existence of oneway functions that are secure against subexponentialtime adversaries. To justify the use of such a subexponential hardness assumption in obtaining our constantround CCAsecure commitment scheme, we show that if blackbox reductions are used, there does not exist any constantround CCAsecure commitment scheme under any falsifiable polynomialtime hardness assumptions. 1