Results 1 
7 of
7
Adaptively secure, universally composable, multiparty computation in constant rounds
, 2014
"... Cryptographic protocols with adaptive security ensure that security holds against an adversary who can dynamically determine which parties to corrupt as the protocol progresses—or even after the protocol is finished. In the setting where all parties may potentially be corrupted, and secure erasure ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Cryptographic protocols with adaptive security ensure that security holds against an adversary who can dynamically determine which parties to corrupt as the protocol progresses—or even after the protocol is finished. In the setting where all parties may potentially be corrupted, and secure erasure is not assumed, it has been a longstanding open question to design securecomputation protocols with adaptive security running in constant rounds. Here, we show a constantround, universally composable protocol for computing any functionality, tolerating a malicious, adaptive adversary corrupting any number of parties. Interestingly, our protocol can compute all functionalities, not just adaptively wellformed ones.
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
"... We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E ..."
Abstract
 Add to MetaCart
We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is roundefficient. E.g., under the DLIN or SXDH assumptions we achieve roundoptimal protocols with static security, or 3round protocols with adaptive security (assuming erasure). • Our resulting protocols are more efficient than any known previously, and in particular yield protocols for string OT using O(1) exponentiations and communicating O(1) group elements. Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length depends on the number of parties in the network and achieves only static security. Compared to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and efficiency.
OneSided Adaptively Secure TwoParty Computation
"... Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures scenarios in which the attacker chooses which party to corrupt based on the protocol communication. It further captures realworld scenarios ..."
Abstract
 Add to MetaCart
Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures scenarios in which the attacker chooses which party to corrupt based on the protocol communication. It further captures realworld scenarios where “hackers ” actively break into computers, possibly while they are executing secure protocols. Studying this setting is interesting from both theoretical and practical points of view. The former is because the theoretical understanding of this setting is not yet profound and important questions are still unresolved; a notable example is the question regarding the feasibility of constant round adaptively secure protocols. From practical viewpoint, generic adaptively secure protocols are far more complicated and less efficient than static protocols. A primary building block in designing adaptively secure protocols is a noncommitting encryption or NCE that implements secure communication channels in the presence of adaptive corruptions. Current NCE constructions require a number of public key operations that grows linearly with the length of the message. Furthermore, general twoparty protocols require a number of NCE calls that is linear in the circuit size (or otherwise the protocol is not round efficient). As a result the number of public key
On Invertible Sampling and Adaptive Security
"... Secure multiparty computation (MPC) is one of the most general and well studied problems in cryptography. We focus on MPC protocols that are required to be secure even when the adversary can adaptively corrupt parties during the protocol, and under the assumption that honest parties cannot reliably ..."
Abstract
 Add to MetaCart
Secure multiparty computation (MPC) is one of the most general and well studied problems in cryptography. We focus on MPC protocols that are required to be secure even when the adversary can adaptively corrupt parties during the protocol, and under the assumption that honest parties cannot reliably erase their secrets prior to corruption. Previous feasibility results for adaptively secure MPC in this setting applied either to deterministic functionalities or to randomized functionalities which satisfy a certain technical requirement. The question whether adaptive security is possible for all functionalities was left open. We provide the first convincing evidence that the answer to this question is negative, namely that some (randomized) functionalities cannot be realized with adaptive security. We obtain this result by studying the following related invertible sampling problem: given an efficient sampling algorithm A, obtain another sampling algorithm B such that the output of B is computationally indistinguishable from the output of A, but B can be efficiently inverted (even if A cannot). This invertible sampling problem is independently motivated by other cryptographic applications. We show, under strong but well studied assumptions, that there exist efficient sampling algorithms A for which invertible sampling as above is impossible. At the same time, we show that a general feasibility result for adaptively secure MPC implies that invertible sampling is possible for every A, thereby reaching a contradiction and establishing our main negative result.
SingleUse Oblivious Transfer Combiners
, 2013
"... An oblivious transfer (OT) protocol allows a receiver to obtain one of two bits held by a sender without revealing its selection. An OT combiner securely implements OT by using oracle access to n OT candidates of which at most t may be insecure. It is known that OT combiners exist when t < n/2. H ..."
Abstract
 Add to MetaCart
(Show Context)
An oblivious transfer (OT) protocol allows a receiver to obtain one of two bits held by a sender without revealing its selection. An OT combiner securely implements OT by using oracle access to n OT candidates of which at most t may be insecure. It is known that OT combiners exist when t < n/2. However, known constructions either invoke each candidate multiple times or alternatively require t to be a very small fraction of n, even in the semihonest security model. In this work we study the goal of maximizing the security level of singleuse OT combiners in the semihonest model, namely OT combiners in which each candidate can only be invoked once. This question is motivated by scenarios in which each OT instance is implemented via a separate physical process that may leak information independent of other instances. Our main result is a statistically secure singleuse OT combiner which tolerates t = n/2 − Õ(log n) bad instances. We complement this by a negative result, showing that it is impossible to tolerate t = n/2 − O(1) bad instances in this setting. More generally, given n OT instances, we construct singleuse OT combiners where an adversary can corrupt the sender and tS OT instances, or it can corrupt the receiver and tR OT instances, such that n−(tS +tR) = Õ(log n).
On BlackBox Complexity of Universally Composable Security in the CRS model
"... In this work, we study the intrinsic complexity of blackbox Universally Composable (UC) secure computation based on general assumptions. We present a thorough study in various corruption modelings while focusing on achieving security in the common reference string (CRS) model. Our results involve ..."
Abstract
 Add to MetaCart
In this work, we study the intrinsic complexity of blackbox Universally Composable (UC) secure computation based on general assumptions. We present a thorough study in various corruption modelings while focusing on achieving security in the common reference string (CRS) model. Our results involve the following: • Static UC secure computation. Designing the first static UC secure oblivious transfer protocol based on publickey encryption and standalone semihonest oblivious transfer. As a corollary we obtain the first blackbox constructions of UC secure computation assuming only tworound semihonest oblivious transfer. • Onesided UC secure computation. Designing adaptive UC secure twoparty computation with single corruptions assuming publickey encryption with oblivious ciphertext generation. • Adaptive UC secure computation. Designing adaptively secure UC commitment scheme assuming only publickey encryption with oblivious ciphertext generation. As a corollary we obtain the first blackbox constructions of adaptive UC secure computation assuming only (trapdoor) simulatable publickey encryption (as well as a variety of concrete assumptions). We remark that such a result was not known even under nonblackbox constructions.
Adaptively Secure Computation with Partial Erasures
"... Adaptive security is a strong corruption model that captures “hacking ” attacks where an external attacker breaks into parties ’ machines in the midst of a protocol execution. There are two types of adaptivelysecure protocols: adaptive with erasures and adaptive without erasures. Achieving adaptivi ..."
Abstract
 Add to MetaCart
Adaptive security is a strong corruption model that captures “hacking ” attacks where an external attacker breaks into parties ’ machines in the midst of a protocol execution. There are two types of adaptivelysecure protocols: adaptive with erasures and adaptive without erasures. Achieving adaptivity without erasures is preferable, since secure erasures are not always trivial. However, it seems far harder. We introduce a new model of adaptive security called adaptive security with partial erasures that allows erasures, but only assumes them in a minimal sense. Specifically, if all parties are corrupted then security holds as long as any single party successfully erases. In addition, security holds if any proper subset of the parties is corrupted without erasures. We initiate a theoretical study of this new notion and demonstrate that secure computation in this setting is as efficient as static secure computation. In addition, we study the relations between semiadaptive security [GWZ09], adaptive security with partial erasures, and adaptive security without any erasures. We prove that the existence of semiadaptive OT implies secure computation in all these settings.