Results 1  10
of
12
Possibility and impossibility results for encryption and commitment secure under selective opening
 in A. Joux (Ed.), Advances in Cryptology—EUROCRYPT 2009
, 2009
"... Abstract. The existence of encryption and commitment schemes secure under selective opening attack (SOA) has remained open despite considerable interest and attention. We provide the first public key encryption schemes secure against sender corruptions in this setting. The underlying tool is lossy ..."
Abstract

Cited by 57 (12 self)
 Add to MetaCart
(Show Context)
Abstract. The existence of encryption and commitment schemes secure under selective opening attack (SOA) has remained open despite considerable interest and attention. We provide the first public key encryption schemes secure against sender corruptions in this setting. The underlying tool is lossy encryption. We then show that no noninteractive or perfectly binding commitment schemes can be proven secure with blackbox reductions to standard computational assumptions, but any statistically hiding commitment scheme is secure. Our work thus shows that the situation for encryption schemes is very different from the one for commitment schemes. 1
ConstantRound Concurrent NonMalleable Zero Knowledge in the Bare PublicKey Model
"... One of the central questions in Cryptography is the design of roundefficient protocols that are secure under concurrent maninthemiddle attacks. In this paper we present the first constantround concurrent nonmalleable zeroknowledge argument system for NP in the Bare PublicKey model [Canetti e ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
One of the central questions in Cryptography is the design of roundefficient protocols that are secure under concurrent maninthemiddle attacks. In this paper we present the first constantround concurrent nonmalleable zeroknowledge argument system for NP in the Bare PublicKey model [Canetti et al. STOC 2000], resolving one of the major open problems in this area. To achieve our result, we introduce and study the notion of nonmalleable witness indistinguishability, which is of independent interest. Previous results either achieved relaxed forms of concurrency/security or needed stronger setup assumptions or required a nonconstant round complexity.
CSCL Theories
, 1996
"... We present a unified framework for obtaining Universally Composable (UC) protocols by relying on standalone secure nonmalleable commitments. Essentially all results on concurrent secure computation—both in relaxed models (e.g., quasipolynomial time simulation), or with trusted setup assumptions ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
We present a unified framework for obtaining Universally Composable (UC) protocols by relying on standalone secure nonmalleable commitments. Essentially all results on concurrent secure computation—both in relaxed models (e.g., quasipolynomial time simulation), or with trusted setup assumptions (e.g., the CRS model, the imperfect CRS model, or the timing model)—are obtained as special cases of our framework. This not only leads to conceptually simpler solutions, but also to improved setup assumptions, roundcomplexity, and computational assumptions. Additionally, this framework allows us to consider new relaxed models of security: we show that UC security where the adversary is a uniform PPT but the simulator is allowed to be a nonuniform PPT (i.e., essentially, traditional UC security, but with a nonuniform reduction) is possible without any trusted setup. This gives the first results on concurrent secure computation without setup, which can be used for securely computing “computationallysensitive” functionalities (e.g., database queries, “proof of work”protocols, or playing bridge on the Internet). Categories and Subject Descriptors F.1.2 [Theory of Computation]: Interactive and reactive computation
Impossibility Results for Universal Composability in PublicKey Models and with Fixed Inputs
, 2010
"... Universal composability and concurrent general composition consider a setting where secure protocols are run concurrently with each other and with arbitrary other possibly insecure protocols. Protocols that meet the definition of universal composability are guaranteed to remain secure even when run ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Universal composability and concurrent general composition consider a setting where secure protocols are run concurrently with each other and with arbitrary other possibly insecure protocols. Protocols that meet the definition of universal composability are guaranteed to remain secure even when run in this strongly adversarial setting. In the case of an honest majority, or where there is a trusted setup phase of some kind (like a common reference string or the keyregistration publickey infrastructure of Barak et al. in FOCS 2004), it has been shown that any functionality can be securely computed in a universally composable way. On the negative side, it has also been shown that in the plain model where there is no trusted setup at all, there are large classes of functionalities which cannot be securely computed in a universally composable way without an honest majority. In this paper we extend these impossibility results for universal composability. We study a number of publickey models and show for which models the impossibility results of universal composability hold and for which they do not. We also consider a setting where the inputs to the protocols running in the network are fixed before any execution begins. The majority of our
Improving CutandChoose in Verifiable Encryption and Fair Exchange Protocols using Trusted Computing Technology ∗
, 2009
"... Cutandchoose is used in interactive zeroknowledge protocols in which a prover answers a series of random challenges that establish with high probability that the prover is honestly following the defined protocol. In this paper, we examine one such protocol and explore the consequences of replacin ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Cutandchoose is used in interactive zeroknowledge protocols in which a prover answers a series of random challenges that establish with high probability that the prover is honestly following the defined protocol. In this paper, we examine one such protocol and explore the consequences of replacing the statistical trust gained from cutandchoose with a level of trust that depends on the use of secure, trusted hardware. As a result, previous interactive protocols with multiple rounds can be improved to noninteractive protocols with computational requirements equivalent to a single round of the original protocol. Surprisingly, we accomplish this goal by using hardware that is not designed for our applications, but rather simply provides a generic operation that we call “certified randomness, ” which produces a oneway image of a random value along with an encrypted version that is signed by the hardware to indicate that these values are properly produced. It is important to stress that while we use this operation to improve cutandchoose protocols, the trusted operation does not depend in any way on the particular protocol or even data used in the protocol: it operates only with random data that it generates. This functionality can be achieved with minor extensions to the standard Trusted Platform Modules (TPMs) that are being used in many current systems. We demonstrate our technique through application to cutandchoose protocols for verifiable group encryption and optimistic fair exchange. In both cases we can remove or drastically reduce the amount of interaction required, as well as decrease the computational requirements significantly.
Concurrent nonmalleable zero knowledge proofs
 In CRYPTO
, 2010
"... Abstract. Concurrent nonmalleable zeroknowledge (NMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and verifiers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the first construction of a conc ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Concurrent nonmalleable zeroknowledge (NMZK) considers the concurrent execution of zeroknowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and verifiers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the first construction of a concurrent NMZK protocol without any setup assumptions. Their protocol, however, is only computationally sound (a.k.a., a concurrent NMZK argument). In this work we present the first construction of a concurrent NMZK proof without any setup assumptions. Our protocol requires poly(n) rounds assuming oneway functions, or Õ(log n) rounds assuming collisionresistant hash functions. As an additional contribution, we improve the round complexity of concurrent NMZK arguments based on oneway functions (from poly(n) to Õ(log n)), and achieve a near linear (instead of cubic) security reductions. Taken together, our results close the gap between concurrent ZK protocols and concurrent NMZK protocols (in terms of feasibility, round complexity, hardness assumptions, and tightness of the security reduction). 1
Completely nonmalleable encryption revisited
 PKC 2008, LNCS
, 2008
"... Abstract. Several security notions for publickey encryption schemes have been proposed so far, in particular considering the powerful adversary that can play a so called “maninthemiddle ” attack. In this paper we extend the notion of completely nonmalleable encryption introduced in [Fischlin, ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Several security notions for publickey encryption schemes have been proposed so far, in particular considering the powerful adversary that can play a so called “maninthemiddle ” attack. In this paper we extend the notion of completely nonmalleable encryption introduced in [Fischlin, ICALP 05]. This notion immunizes a scheme from adversaries that can generate related ciphertexts under new public keys. This notion is motivated by its powerful features when encryption schemes are used as subprotocols. While in [Fischlin, ICALP 05] the only notion of simulationbased completely nonmalleable encryption with respect to CCA2 adversaries was given, we present new gamebased definitions for completely nonmalleable encryption that follow the standard separations among NMCPA, NMCCA1 and NMCCA2 security given in [Bellare et al., CRYPTO 98]. This is motivated by the fact that in several cases, the simplest notion we introduce (i.e., NMCPA*) in several cases suffices for the main application that motivated the introduction of the notion of NMCCA2 * security, i.e., the design of nonmalleable commitment schemes. Further the gamebased definition of NMCPA* security actually implies the simulationbased one. We then focus on constructing encryption schemes that satisfy these strong security notions and show: 1) an NMCCA2 * secure encryption scheme in the shared random string model; 2) an NMCCA2 * secure encryption scheme in the plain model; for this second result, we use interaction and nonblackbox techniques to overcome an impossibility result. Our results clarify the importance of these stronger notions of encryption schemes and show how to construct them without requiring random oracles. 1
Concurrent Secure Computation via NonBlack Box Simulation
"... Abstract. Recently, Goyal (STOC’13) proposed a new nonblack box simulation techniques for fully concurrent zero knowledge with straightline simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achiev ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Recently, Goyal (STOC’13) proposed a new nonblack box simulation techniques for fully concurrent zero knowledge with straightline simulation. Unfortunately, so far this technique is limited to the setting of concurrent zero knowledge. The goal of this paper is to study what can be achieved in the setting of concurrent secure computation using nonblack box simulation techniques, building upon the work of Goyal. The main contribution of our work is a secure computation protocol in the fully concurrent setting with a straightline simulator, that allows us to achieve several new results: – We give first positive results for concurrent blind signatures and verifiable random functions in the plain model as per the ideal/real world security definition. Our positive result is somewhat surprising in light of the impossibility result of Lindell (STOC’03) for blackbox simulation. We circumvent this impossibility using nonblack box simulation. This gives us a quite natural example of a functionality in concurrent
Efficient Verifiable Escrow and Fair Exchange with Trusted Hardware ∗
, 2013
"... At the heart of many fair exchange problems is verifiable escrow: a sender encrypts some value using the public key of a trusted party (called the recovery agent), and then must convince the receiver of the ciphertext that the corresponding plaintext satisfies some property (e.g., it contains the se ..."
Abstract
 Add to MetaCart
(Show Context)
At the heart of many fair exchange problems is verifiable escrow: a sender encrypts some value using the public key of a trusted party (called the recovery agent), and then must convince the receiver of the ciphertext that the corresponding plaintext satisfies some property (e.g., it contains the sender’s signature on a contract). Previous solutions to this problem are interactive, and often rely on communicationintensive cutandchoose zeroknowledge proofs. In this paper, we provide a solution that uses generic trusted hardware to create an efficient, noninteractive verifiable escrow scheme. Our solution allows the protocol to use a set of recovery agents with a threshold access structure, the verifiable group escrow notion which was informally introduced by Camenisch and Damgard and which is formalized here. Finally, this paper shows how this new noninteractive verifiable escrow scheme can be used to create an efficient optimistic protocol for fair exchange of signatures.
SimulationBased Concurrent NonMalleable Commitments and Decommitments
 APPEARED IN SIXTH IACR THEORY OF CRYPTOGRAPHY CONFERENCE TCC2009
, 2009
"... In this paper we consider commitment schemes that are secure against concurrent maninthemiddle (cMiM) attacks. Under such attacks, two possible notions of security for commitment schemes have been proposed in the literature: concurrent nonmalleability with respect to commitment and concurrent no ..."
Abstract
 Add to MetaCart
(Show Context)
In this paper we consider commitment schemes that are secure against concurrent maninthemiddle (cMiM) attacks. Under such attacks, two possible notions of security for commitment schemes have been proposed in the literature: concurrent nonmalleability with respect to commitment and concurrent nonmalleability with respect to decommitment (i.e., opening). After the original notion of nonmalleability introduced by [Dolev, Dwork and Naor STOC 91] that is based on the independence of the committed messages, a new and stronger simulationbased notion of nonmalleability has been proposed with respect to openings or with respect to commitment [1,2,3,4] by requiring that for any maninthemiddle adversary there is a standalone adversary that succeeds with the same probability. When commitment schemes are used as subprotocols (which is often the case) the simulationbased notion is much more powerful and simplifies the task of proving the security of the larger protocols. The main result of this paper is a commitment scheme that is simulationbased concurrent nonmalleable with respect to both commitment and decommitment. This property protects against cMiM attacks mounted during both commitments and decommitments which is a crucial security requirement in several applications, as in some digital auctions, in which players have to perform both commitments and decommitments. Our scheme uses a constant number of rounds of interaction in the plain model and is the first scheme that enjoys all these properties under the simulationbased definitions.