Results 1 
6 of
6
On the BlackBox Complexity of OptimallyFair Coin Tossing
"... Abstract. A fair twoparty coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in ..."
Abstract

Cited by 14 (6 self)
 Add to MetaCart
(Show Context)
Abstract. A fair twoparty coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in the presence of failstop adversaries (Cleve, FOCS 1986). In fact, Cleve showed that for every coin tossing protocol running for r rounds, an efficient failstop adversary can bias the output by Ω(1/r). Since this is the best possible, a protocol that limits the bias of any adversary to O(1/r) is called optimallyfair. The only optimallyfair protocol that is known to exist relies on the existence of oblivious transfer, because it uses general secure computation (Moran, Naor and Segev, TCC 2009). However, it is possible to achieve a bias of O(1 / √ r)inr rounds relying only on the assumption that there exist oneway functions. In this paper we show that it is impossible to achieve optimallyfair coin tossing via a blackbox construction from oneway functions for r that is less than O(n / log n), where n is the input/output length of the oneway function used. An important corollary of this is that it is impossible to construct an optimallyfair coin tossing protocol via a blackbox construction from oneway functions whose round complexity is independent of the security parameter n determining the security of the oneway function being used. Informally speaking, the main ingredient of our proof is to eliminate the randomoracle from “secure ” protocols with “low roundcomplexity” and simulate the protocol securely against semihonest adversaries in the plain model. We believe our simulation lemma to be of broader interest.
BiTR: Builtin Tamper Resilience
"... Abstract. The assumption of the availability of tamperproof hardware tokens has been used extensively in the design of cryptographic primitives. For example, Katz (Eurocrypt 2007) suggests them as an alternative to other setup assumptions, towards achieving general UCsecure multiparty computation ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. The assumption of the availability of tamperproof hardware tokens has been used extensively in the design of cryptographic primitives. For example, Katz (Eurocrypt 2007) suggests them as an alternative to other setup assumptions, towards achieving general UCsecure multiparty computation. On the other hand, a lot of recent research has focused on protecting security of various cryptographic primitives against physical attacks such as leakage and tampering. In this paper we put forward the notion of Builtin Tamper Resilience (BiTR) for cryptographic protocols, capturing the idea that the protocol that is encapsulated in a hardware token is designed in such a way so that tampering gives no advantage to an adversary. Our definition is within the UC model, and can be viewed as unifying and extending several prior related works. We provide a composition theorem for BiTR security of protocols, impossibility results, as well as several BiTR constructions for specific cryptographic protocols or tampering function classes. In particular, we achieve general UCsecure computation based on a hardware token that may be susceptible to affine tampering attacks. We also prove that two existing identification and signature schemes (by Schnorr and Okamoto, respecitively) are already BiTR against affine attacks (without requiring any modification or endcoding). We next observe that nonmalleable codes can be used as state encodings to achieve the BiTR property, and show new positive results for deterministic nonmalleable encodings for various classes of tampering functions. 1
Feasibility and infeasibility of secure computation with malicious pufs
 in Advances in Cryptology CRYPTO 2014
, 2014
"... Abstract. A recent line of work has explored the use of physically uncloneable functions (PUFs) for secure computation, with the goals of (1) achieving universal composability without (additional) setup, and/or (2) obtaining unconditional security (i.e., avoiding complexitytheoretic assumptions). ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A recent line of work has explored the use of physically uncloneable functions (PUFs) for secure computation, with the goals of (1) achieving universal composability without (additional) setup, and/or (2) obtaining unconditional security (i.e., avoiding complexitytheoretic assumptions). Initial work assumed that all PUFs, even those created by an attacker, are honestly generated. Subsequently, researchers have investigated models in which an adversary can create malicious PUFs with arbitrary behavior. Researchers have considered both malicious PUFs that might be stateful, as well as malicious PUFs that can have arbitrary behavior but are guaranteed to be stateless. We settle the main open questions regarding secure computation in the maliciousPUF model: – We prove that unconditionally secure oblivious transfer is impossible, even in the standalone setting, if the adversary can construct (malicious) stateful PUFs. – We show that universally composable twoparty computation is possible if the attacker is limited to creating (malicious) stateless PUFs. Our protocols are simple and efficient, and do not require any cryptographic assumptions. 1
Lower Bounds in the Hardware Token Model
"... We study the complexity of secure computation in the tamperproof hardware token model. Our main focus is on noninteractive unconditional twoparty computation using bitOT tokens, but we also study computational security with stateless tokens that have more complex functionality. Our results can ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
We study the complexity of secure computation in the tamperproof hardware token model. Our main focus is on noninteractive unconditional twoparty computation using bitOT tokens, but we also study computational security with stateless tokens that have more complex functionality. Our results can be summarized as follows: • We show that there exists a class of functions such that the number of bitOT tokens required to securely implement them is at least the size of the sender’s input. The same applies for receiver’s input size (with a different class of functionalities). • We investigate the existence of nonadaptive protocols in the hardware token model. In a nonadaptive protocol, the queries to the tokens are fixed in advance as against an adaptive protocol in which the queries can depend on the answers from the previously queried tokens. In this work, we show that the existence of nonadaptive protocols in the hardware token model imply efficient (decomposable) randomized encodings. Since, efficient decomposable randomized encodings are believed to not exist for all efficient functions, this result can be interpreted as an evidence to the impossibility of nonadaptive protocols for efficiently
Noname manuscript No. (will be inserted by the editor) METAP: Revisiting PrivacyPreserving Data Publishing using Secure Devices
"... the date of receipt and acceptance should be inserted later Abstract The goal of PrivacyPreserving Data Publishing (PPDP) is to generate a sanitized (i.e. harmless) view of sensitive personal data (e.g. a health survey), to be released to some agencies or simply the public. However, traditional P ..."
Abstract
 Add to MetaCart
the date of receipt and acceptance should be inserted later Abstract The goal of PrivacyPreserving Data Publishing (PPDP) is to generate a sanitized (i.e. harmless) view of sensitive personal data (e.g. a health survey), to be released to some agencies or simply the public. However, traditional PPDP practices all make the assumption that the process is run on a trusted central server. In this article, we argue that the trust assumption on the central server is far too strong. We propose MetAP, a generic fully distributed protocol, to execute various forms of PPDP algorithms on an asymmetric architecture composed of low power secure devices and a powerful but untrusted infrastructure. We show that this protocol is both correct and secure against honestbutcurious or malicious adversaries. Finally, we provide an experimental validation showing that this protocol can support PPDP processes scaling up to nationwide surveys.
(Efficient) Universally Composable Oblivious Transfer Using a Minimal Number of Stateless Tokens
, 2013
"... We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamperproof hardware for universally composable secure computation. As our main result, we show an efficient oblivioustransfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then ..."
Abstract
 Add to MetaCart
(Show Context)
We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamperproof hardware for universally composable secure computation. As our main result, we show an efficient oblivioustransfer (OT) protocol in which two parties each create and exchange a single, stateless token and can then run an unbounded number of OTs. Our result yields what we believe is the most practical and efficient known approach for oblivious transfer based on tamperproof tokens, and implies that the parties can perform (repeated) secure computation of arbitrary functions without exchanging additional tokens. Motivated by this result, we investigate the minimal number of stateless tokens needed for universally composable OT / secure computation. We prove that our protocol is optimal in this regard for constructions making blackbox use of the tokens (in a sense we define). We also show that nonblackbox techniques can be used to obtain a construction using only a single stateless token.