R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In 28th Annual ACM Symposium on Theory of Computing (STOC), 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....between our model and the computational one is not that signi cant. Moreover, in the general context of secure multi party computation, information theoretic VSS provides better round eciency than the alternative zeroknowledge proof methodology on which most computationally secure protocols rely [30, 5, 15]. Indeed, as noted above, our results can be used to improve the exact round complexity of computationally secure protocols which rely on information theoretic VSS (such as [6] Multicast is a very important practical problem in many of today s Internet applications (e.g. video on demand, news ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In Proc. 28th STOC, pp. 639-648.

....such results are due to Canetti, Goldreich and Halevi [6] the goals in question being IND CPA secure asymmetric encryption and digital signatures secure against chosen message attack. Nielsen [17] followed with a separation result for the goal of non interactive, non committing encryption (NCE) [5]. However, the schemes of [6] are somewhat arti cial (meaning, not like practical schemes one typically encounters) and also complex through the use of CS proofs [16] The scheme of [17] on the other hand, is natural but the goal considered (namely, non interactive NCE) is not as practical as ....

....CS proof based one. In our separation results, both the scheme and the goal are natural and practical. Let us begin by describing the goal. An additional concern is that Nielsen s separation [17] might be the result of having incorrectly lifted the standardmodel de nition of the NCE goal [5] to the random oracle model. We recall that the de nition of NCE is in Canetti s multi party computation framework [4] which uses the notion of an environment. In moving to the RO model, Nielsen denies the random oracle to the environment. But the de nition of the RO model is that all ....

R. Canetti, U. Feige, O. Goldreich and M. Naor, \Adaptively secure multi-party computation, " Proceedings of the 28th Annual Symposium on the Theory of Computing, ACM, 1996.

....the subject of a considerable amount of work, originating from [11, 8, 2, 4] The model considered here is a minimalistic one, referred to as the model of honest but curious parties, in the information theoretic setting. Stronger adversarial scenarios, including Byzantine [2, 4] and adaptive [3] adversaries, have been studied in the literature. Negative results on private computation in our model hold in the more adversarial (information theoretic) models as well. The seminal works of [2, 4] showed that all n argument functions over nite domains X i can be computed b 2 c privately. In ....

....such that f attains the same value on all m vectors uj i d , 1 d m. The function f is called non separable if it is non separable at each of its n coordinates. Any constant function is clearly non separable. As a less trivial example, Figure 1 describes a speci c function g, whose domain is [3] . This function is non separable, as g(1; 1; 1) g(2; 1; 1) g(3; 1; 1) g(2; 1; 2) g(2; 2; 2) g(2; 3; 2) and g(3; 3; 1) g(3; 3; 2) g(3; 3; 3) Lemma 4.1. If f : m] Z is a non constant non separable function, then f is not fully private. Proof. The following proof ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In Proc. of 28th STOC, pages 639-648, 1996.

....even when composed with any other set of protocols that may be running concurrently in the same system. It is known that any ideal functionality can be securely realized in a universally composable way using standard constructions, as long as a majority of the participants remain uncorrupted [3, 44, 11, 10]. However, this result does not hold when half or more of the parties may be corrupted. In particular, it does not hold for the important case of twoparty protocols, where each party wishes to maintain its security even if the other party is corrupted. In fact, it was shown in [12, 10] that a ....

....commitment protocol in the CRS model, assuming only existence of trapdoor permutations. UC commitment protocols are protocols that securely realize the ideal commitment functionality [12] Existing constructions [12, 17] are based on stronger computational assumptions. Our scheme uses tools from [35, 26, 11, 12, 23, 46]. Next, plugging the new scheme into the UC zero knowledge protocol of [12] which assumes access to the ideal commitment functionality) we obtain an adaptively secure UC zero knowledge protocol in the CRS model, for any NP relation, and based on any trapdoor permutation. Here multiple proof ....

[Article contains additional citation context not shown here]

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-Party Computation. STOC 96.

....of message M is (z, #) Verifying signature Input : PK,M,SIG) where PK = n, e, g, v) SIG = z, #) 1. Compute y # = z mod n. 2. Accept the signature if # = H(y # , M) Figure 2: TH GQ Sig TH GQ Ver: Signing and verifying message in INT JOINT ZVSS are erased (the erasing technique [CFGN96, CGJ 99] Finally, each player P i computes his partial signature z i = r i s c i mod n. 3.2.2 Signature construction To compute the signature for M , we choose t 1 valid partial signatures z i 1 , z i 2 , z i t 1 and compute their interpolation # i j L = g j=1 # i j (fr ....

Ran Canetti, Uriel Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proceedings of the 28th Annual ACM Symposium on the Theory of Computing (STOC '96), pages 639--648. ACM, 1996.

....a small group of participants to make some decision amongst themselves, an adaptive adversary could wait until the selection had been made and then corrupt the members of that small group. Proving protocols secure against adaptive adversaries has been problematic even in the classical setting [CFGN96, CDD 99] Choosing to handle only static adversaries simpli es the de nitions and proofs considerably, and o ers no real loss of intuition. Nonetheless, we believe that the protocols we describe here are secure against adaptive adversaries, assuming that the environment in which the ....

Ran Canetti, Uriel Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proceedings of the Twenty-Eigth Annual ACM Symposium on the Theory of Computing, pages 639-648, 1996.

....the adversary can tamper with) The adversary is computationally unbounded. If one is only interested in feasability results, then one only needs to consider the second model, Msec . By (carefully) encrypting communication over authenticated channels, one can implement secure channels in Mauth [5], so in fact any protocol for Msec is also a protocol for Mauth . However, protocols designed specifically for Msec can use computational cryptographic tools for greater simplicity and eciency . Similarly, any protocol for Msec leads to a protocol for Mq (by implementing secure channels using ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In Proc. 31st ACM Symposium on the Theory of Computing (STOC), pages 639-648, 1996.

....of the particular message. Another example for a problematic case is when all the processors send a message to the same destination in this case the identity of the receiver is revealed. Another approach is to use generic secure multi party function evaluation protocols (see, for example, [12, 2, 6, 4, 3]) However, all these generic protocols are complicated and require many rounds of communication; we suggest more efficient protocols for hiding the communication pattern. Furthermore, the above solutions assume that there is a communication link between any two processors; there are solutions ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multiparty computation. In Proc. of the 28th Annu. ACM Symp. on the Theory of Computing, pp. 639 -- 648, 1996.

....to hope for in realistic scenarios, and one would like to be able to do without them. But without erasure, protocols such as the one from [15] is not known to be adaptively secure. The original simulation based security proof for [15] fails completely against an adaptive adversary. However, in [9], Canetti et al. introduce a new concept called non committing encryption and observe that if one replaces messages on the secure channels used in [6, 10] by non committing encryptions sent on an open network, one obtains adaptively secure MPC in the computational setting. They also showed how to ....

....can nevertheless be simulated with an indistinguishable distribution such that the simulator can later open a ciphertext to reveal any plaintext it desires. In an MPC setting, this is what allows to simulate the adversary s view before and after a player is corrupted. The scheme from [9] has expansion factor at least k 2 , i.e. it needs to send# (k 2 ) bits for each plaintext bit communicated. Subsequently, Beaver [4] proposed a much simpler scheme based on the Decisional Di#e Hellman assumption (DDH) with expansion factor O(k) Recently, Jarecki and Lysyanskaya [17] have ....

[Article contains additional citation context not shown here]

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multiparty computation. In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 639--648, Philadelphia, Pennsylvania, 22--24 May 1996.

....corrupts servers over time depending on its entire view of the computation; and (2) upon becoming corrupted, the players have to hand over to the adversary their entire computation history; i.e. nothing can be erased. Although results in general multi party computation guarantee feasibility [6, 5, 10], they cannot be directly applied without incurring a considerable computation penalty. In contrast, threshold protocols are tailor made for a speci c task at hand and are therefore much more practical. Securing threshold cryptographic systems against adaptive attacks has been the subject of ....

....schemes has been proposed by Catalano et al. 8] Unlike the adaptive adversary, the static adversary s corruption strategy is independent of the computation history and can be assumed to be xed in advance. It is known that statically secure protocols are not necessarily adaptively secure [6, 5, 10]. While Catalano et al. suggest that it is possible to turn their statically secure solution into an adaptively secure one, they do not give an explicit construction. In this paper, we extend the protocol of Catalano et al. and obtain the rst construction of erasure free adaptively secure ....

[Article contains additional citation context not shown here]

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multiparty computation. In Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pages 639-648, 1996.

....line of work, Bellare and Rogaway considered authentication in several settings [3, 2, 4] We apply some of their ideas in order to define security in the multi user case. Resilience against adaptive adversaries in general multi party protocols has been studied in several places (see, e.g. [7, 8]) We use a notion of non committing encryptions, developed for these purposes, in order to handle the case of adaptive corruption of users. It can also be used to provide forward secrecy. 2 Precise Description of the Halevi Krawczyk Results In this Section we review the results in [17] Section ....

....string oe instead of the appropriate reply to a challenge, the adversary will be able to distinguish transcripts of the simulation from a those of a real execution. The special encryption scheme provides non committing encryption, a concept introduced by Canetti, Feige, Goldreich, and Naor [8] precisely to tolerate dynamic adversaries in secure multi party protocols. In such an encryption scheme here are two modes of operation: normal mode messages are encrypted and decrypted and each ciphertext has a unique decryption. simulation mode where strings are generated as ciphertexts, but ....

[Article contains additional citation context not shown here]

R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively Secure Multi-party Computation, Proc. of the 27th ACM Symp. on Theory of Computing, 1996, pp. 639--648.

....and robust against the stronger and more realistic adaptive adversary, who chooses which players to corrupt at any time and based on any information he sees during the protocol. These results are important since it is known that the adaptive adversary is strictly stronger than the static one [CFGN96,Can98,CDD 99] However, none of these adaptively secure protocols remained secure under concurrent composition, and they all required erasures. In addition, the cryptosystems and signature schemes implemented by these threshold schemes are not known to be provably secure under adaptive chosen ....

....by these threshold schemes are not known to be provably secure under adaptive chosen ciphertext attack adaptive chosen message attack. We remark that even though general multi party computation results guarantee adaptive erasure free distributed function evaluation [BGW88,CCD88,CDD 99,CFGN96] implementing threshold cryptography via these general techniques is impractical. General model. We consider a network of n players and an adaptive adversary that can corrupt up to a minority t n=2 of the players. The players have access to a reliable broadcast channel, there are insecure ....

[Article contains additional citation context not shown here]

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pages 639-648, 1996.

....the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96], uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party computation for various minimality and complexity criteria [FKN94,CGT95,FY92,Kus89] Security can also be classified according to the adversary s computational resources (limited, hence ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multiparty computation. In Proc. 28th ACM Symposium on the Theory of Computing (STOC), pages 639--648, Nov. 1996.

.... are all proven secure with respect to a non adaptive adversary who must choose which participants to corrupt before protocol execution begins (this is the type of adversary we consider here) Many recent works have dealt with stronger classes of adversaries, including adaptive adversaries [1, 5] who may corrupt participants at any time during the protocol based on its entire history. Proactive systems [38] consider adversaries who may corrupt up to k 1 participants during any single time period. We refer the reader elsewhere for exhaustive references (e.g. 25, 33] The ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively Secure Multi-Party Computation. STOC '96.

....of the particular message. Another example for a problematic case is when all the processors send a message to the same destination in this case the identity of the receiver is revealed. Another approach is to use generic secure multi party function evaluation protocols (see, for example, [14, 3, 7, 5, 4]) However, all these generic protocols are complicated and require many rounds of communication; we suggest more ecient protocols for hiding the communication pattern. Furthermore, the above solutions assume that there is a communication link between any two processors; there are solutions ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In Proc. of the 28th Annu. ACM Symp. on the Theory of Computing, pp. 639 { 648, 1996.

....of the Cramer Shoup cryptosystem [CS98] is secure and robust against up to O( p n) adaptively corrupted servers. Security against the adaptive adversary is preferable to security against the static adversary because (1) the adaptive adversary is strictly more powerful than the static one [CFGN96, CDD 99] 2) the adaptive attack is a practical attack. Previous work There are two works in the literature that present practical constructions of a threshold cryptographic system secure against adaptive adversary: the results of Canetti et al. CGJ 99a] with DSS and RSA, and that of ....

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pages 639-648, 1996.

....our model and the computational one is not that significant. Moreover, in the general context of secure multi party computation, information theoretic VSS provides better round efficiency than the alternative zeroknowledge proof methodology on which most computationally secure protocols rely [30, 5, 15]. Indeed, as noted above, our results can be used to improve the exact round complexity of computationally secure protocols which rely on information theoretic VSS (such as [6] Multicast is a very important practical problem in many of today s Internet applications (e.g. video on demand, news ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In Proc. 28th STOC, pp. 639--648.

....in an arbitrary manner. The adversary we consider is static i.e. it decides which players to corrupt at the beginning of the computation. Also our adversary is computationally unbounded. We follow formal definitions of VSS and secure multiparty computations that have appeared in several papers [FM, MR91, Bea91, CFGN96, Can95]. Remark. Because of space limitations, formal definitions and proofs have been omitted from this abstract. We refer the reader to the final version of the paper [GRR98] 2 Verifiable Secret Sharing Made Very Simple Since the appearance of Shamir s [Sha79] and Blakley s [Bla79] seminal papers ....

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proc. 28th Annual Symp. on the Theory of Computing, pages 639--648. ACM, 1996.

....the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96], uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party computation for various minimality and complexity criteria [FKN94,CGT95,FY92,Kus89] Security can also be classified according to the adversary s computational resources (limited, hence ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multiparty computation. In Proc. 28th ACM Symposium on the Theory of Computing (STOC), pages 639--648, Nov. 1996.

.... previous results for the cryptographic model are by Goldreich, Micali and Wigderson [25] who showed that, assuming trapdoor one way permutations exist, any function can be securely computed in presence of a static, active adversary corrupting less than n 2 players and by Canetti et al. who show [10] that security against adaptive adversaries in the cryptographic model can also be obtained. VSS was introduced in [12] All results mentioned so far only apply to threshold adversary structures. Gennaro [23] considered VSS in a non threshold setting, and Hirt and Maurer [26] introduced the ....

....scenario secure against any active and static A adversary. It has communication complexity O(k C ( GF (q) A) 2 ) Both the above results hold only for static adversaries. Security against adaptive adversaries can be obtained (at a loss of e#ciency) by using non committing encryption [10]. More details on this can be found in Section 8. 4 Multiplicative Monotone Span Programs As mentioned earlier, Monotone Span Programs (MSP) are essentially equivalent to LSSS s (see e.g. 4] It turns out to be convenient to describe our protocols in terms of MSP s, which we do for the rest of ....

[Article contains additional citation context not shown here]

R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation, Proc. ACM STOC '96, pp. 639--648.

....to hope for in realistic scenarios, and one would like to be able to do without them. But without erasure, protocols such as the one from [15] is not known to be adaptively secure. The original simulation based security proof for [15] fails completely against an adaptive adversary. However, in [9], Canetti et al. introduce a new concept called non committing encryption and observe that if one replaces messages on the secure channels used in [6, 10] by non committing encryptions sent on an open network, one obtains adaptively secure MPC in the computational setting. They also showed how to ....

....can nevertheless be simulated with an indistinguishable distribution such that the simulator can later open a ciphertext to reveal any plaintext it desires. In an MPC setting, this is what allows to simulate the adversary s view before and after a player is corrupted. The scheme from [9] has expansion factor at least k 2 , i.e. it needs to send# (k 2 ) bits for each plaintext bit communicated. Subsequently, Beaver [4] proposed a much simpler scheme based on the Decisional Di#e Hellman assumption (DDH) with expansion factor O(k) Recently, Jarecki and Lysyanskaya [17] have ....

[Article contains additional citation context not shown here]

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multiparty computation. In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 639--648, Philadelphia, Pennsylvania, 22--24 May 1996.

....in the nth round, P n computes m n = m n 1 x n z n and announces m n as the output. 10 The definition given above is sometimes called static privacy. A more general definition, where the coalition T can be chosen (by an adversary) in an adaptive manner, was defined and discussed in [11]. 11 If we allow the trusted dealer Q to be active, he can collect the inputs of all players and compute the answer. However, we will not be able to transform such a solution to the standard model (with no trusted dealer) RANDOMNESS IN PRIVATE COMPUTATIONS 655 A simple induction shows that, ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor, Adaptively secure multi-party computation, in Proc. of 28th Annual ACM Symposium on Theory of Computing, ACM, New York, 1996, pp. 639--648.

.... previous results for the cryptographic model are by Goldreich, Micali and Wigderson [24] who showed that, assuming trapdoor one way permutations exist, any function can be securely computed in presence of a static, active adversary corrupting less than n=2 players and by Canetti et al. who show [9] that security against adaptive adversaries in the cryptographic model can also be obtained. VSS was introduced in [11] All results mentioned so far only apply to threshold adversary structures. Gennaro [22] considered VSS in a non threshold setting, and Hirt and Maurer [25] introduced the ....

R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation, Proc. ACM STOC '96, pp. 639--648.

No context found.

R. Canetti, U. Feige, O. Goldreich, and M. Naor, "Adaptively Secure MultiParty Computation", Proc. of 28th STOC, 1996, pp. 639--648.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-party Computation. In 28th ACM Symposium on the Theory of Computing, pages 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-party Computation. In 28th ACM Symposium on the Theory of Computing, pages 639-648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-Party Computation. In 28th STOC, pages 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-party Computation. In 28th ACM Symposium on the Theory of Computing, pages 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-Party Computation. In 28th STOC, pages 639--648, 1996.

.... within the [c01] framework is called universally composable (UC) It has been shown that any ideal functionality can be securely realized in a universally composable way using known constructions, as long as a majority of the participants remain uncorrupted [c01] building upon [bgw88, rb89, cfgn96] However, this result does not hold when half or more of the parties may be corrupted. In particular, it does not hold for the important case of two party protocols, where each party wishes to maintain its security even if the other party is corrupted. In fact, it was shown in [cf01, c01] that ....

....Our protocols are based on the following cryptographic assumptions. For the non adaptive case (both semi honest and malicious) we assume the existence of trapdoor permutations only. For the adaptive case we additionally assume the existence of augmented non committing encryption protocols [cfgn96] The augmentation includes oblivious key generation and invertible samplability [dn00] Loosely speaking, oblivious key generation states that public keys can be generated without knowing the corresponding private keys, and invertible samplability states that given a public private key pair it ....

[Article contains additional citation context not shown here]

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-Party Computation. In 28th STOC, pages 639-648, 1996.

.... within the [c01] framework is called universally composable (UC) It has been shown that any ideal functionality can be securely realized in a universally composable way using known constructions, as long as a majority of the participants remain uncorrupted [c01] building upon [bgw88, rb89, cfgn96] However, this result does not hold when half or more of the parties may be corrupted. In particular, it does not hold for the important case of two party protocols, where each party wishes to maintain its security even if the other party is corrupted. In fact, it was shown in [cf01, c01] that ....

....Our protocols are based on the following cryptographic assumptions. For the non adaptive case (both semi honest and malicious) we assume the existence of trapdoor permutations only. For the adaptive case we additionally assume the existence of augmented non committing encryption protocols [cfgn96] The augmentation includes oblivious key generation and invertible samplability [dn00] Loosely speaking, oblivious key generation states that public keys can be generated without knowing the corresponding private keys, and invertible samplability states that given a public private key pair it ....

[Article contains additional citation context not shown here]

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-Party Computation. In 28th STOC, pages 639--648, 1996.

....key) obscures the real issue. The crux of the problem seems to lie in the fact that (usually) E(p i ; r i ) provides a commitment to the plaintext value p i . For standard encryption schemes, B can only open c i in one way: 8(p ) 6= p i ; r i ) E(p ) 6= E(p i ; r i ) Indeed, [5] de ned and constructed a non committing encryption scheme, and used it to bypass the problem of selective decryption in order to construct distributed protocols that are secure against a dynamic adversary. The existence of a non committing encryption scheme does not solve the problem of ....

....focus here on schemes with single round commit phase and single round reveal phase. For more general (i.e. interactive) de nitions of commitment schemes see e.g. 26, 27] Although there are quite a few researchers that were concerned with problems of this nature during the last decade (e.g. [4, 5, 6, 14, 28]) 34 c i = C(p i ; r i ) r i is the (independent) string of random bits used in creating the commitment c i . B then sends c to A. 2. Given the commitments vector c, the adversary A selects a legal subset of the commitments: I = fi 1 ; i k g f1; 2; mg. A then sends I ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor, Adaptively secure multiparty computation, Proc. 28th ACM Symp. on Theory of Computing, 1996, pp. 639-648.

....[20] Beaver s papers [1, 2] have a similar approach. The approach of Goldwasser and Levin [17] is more general: It avoids the definition of security (w.r.t a given functionality) and instead defines a notion of protocol robustness. do so based on partial information it has gathered so far (cf. [5]) A somewhat more restricted model, which seems adequate in many setting, postulates that the set of dishonest parties is fixed (arbitrarily) before the execution starts. The latter model is called non adaptive as opposed to the adaptive adversary discussed first. An orthogonal parameter of ....

....channels, secure multi party computation is possible in the following models (cf. 4, 7] 1. Passive adversary which may control only a minority of the parties. 3 2. Active adversary which may control only less than one third of the parties. In both cases the adversary may be adaptive (cf. [4, 5]) ffl Secure multi party computation is possible against an active, adaptive and mobile adversary which may control a small constant fraction of the parties at any point in time [21] This result makes no computational assumptions, allows computationally unbounded adversaries, but assumes ....

[Article contains additional citation context not shown here]

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-party Computation. In 28th STOC, pages 639--648, 1996.

....case of passive adversaries these protocols withstand up to t n=2 corrupted parties. In the case of active adversaries these protocols withstand up to t n=3 corrupted parties. In both cases this is the maximum attainable resilience. Considerable amount of work has been done in this area (e.g. [2, 3, 7, 8, 13, 20, 22, 26, 39, 40, 41, 42, 44]) in the sequel we concentrate on works concerning the relation between multiparty security and randomness. Randomness. Randomness plays an important role in computer science. In particular, in the context of distributed computing there are important examples of problems where there is a provable ....

....we use this extension in our constructions. 2 Preliminaries We start by specifying the requirements from a protocol for securely computing a function f whose inputs are partitioned among several parties. Several definitions of multiparty secure computation have been proposed in the past (e.g. [45, 29, 3, 13, 11]) In this work we use the definition of [11] which, for self containment, we sketch below. We concentrate on the secure channels setting of [6, 16] where the adversary is computationally unbounded but has no access to the communication between non faulty parties. Moreover, we concentrate on ....

R. Canetti, U. Feige, O. Goldreich, and M. Naor, "Adaptively Secure Multi-Party Computation", Proc. of 28th STOC, 1996, pp. 639--648.

....works on distributed cryptography assumes a static adversary. This is due to the difficulties encountered when trying to design and prove protocols resistant to adaptive adversaries. However, it is known that protocols can be secure in the static model and still insecure in the adaptive one [CFGN96, CDD 99, Can98] Therefore, since the adaptive adversary model appears to better capture real threats, proving protocols secure in the static model is not enough to assume their practical security. Although general constructions have been shown in the adaptive adversary model for secure ....

....capture real threats, proving protocols secure in the static model is not enough to assume their practical security. Although general constructions have been shown in the adaptive adversary model for secure distributed evaluation of any polynomial time computable function [BGW88, CCD88, BH92, CFGN96] these general results do not provide sufficiently efficient solutions to practical applications like adaptively secure threshold DSS or RSA signature scheme. Until now, no efficient adaptive solutions for threshold cryptosystems were known. Our Contribution. The main contribution of this paper ....

[Article contains additional citation context not shown here]

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proc. 28th STOC, pages 639--648. ACM, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In 28th Annual ACM Symposium on Theory of Computing (STOC), 1996.

No context found.

CANETTI, R., FEIGE,U.,GOLDREICH,O.,AND NAOR,M. 1996. Adaptively secure multi-party computation. In Proceedings of the 28th Annual ACM Symposium on Theory of Computing. ACM Press, New York, 639--648.

No context found.

R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation, Proc. ACM STOC '96, pp. 639--648.

No context found.

R. Canetti, U. Feige, O. Goldreich, M. Naor. Adaptively secure multi-party computation. Proc. ACM STOC'96 (1996) 639--648.

No context found.

Ran Canetti, Uriel Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In ACM Symposium on Theory of Computing, pages 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively Secure Multi-Party Computation. 28th ACM Symposium on Theory of Computing (STOC), ACM, pp. 639--648, 1996.

No context found.

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In 28th Annual ACM Symposium on the Theory of Computing (STOC), 1996.

No context found.

Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 639--648, Philadelphia, Pennsylvania, 22--24 May 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-party Computation. 28th Symposium on Theory of Computing (STOC '96), pages 639-648. 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multi-party computation. In Proc. 28th Annual ACM Symposium on Theory of Computing (STOC), pages 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively-Secure Multiparty Computation. 28th ACM Symposium on Theory of Computing (STOC), ACM, pp. 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively-Secure Multiparty Computation. 28th ACM Symposium on Theory of Computing (STOC), ACM, pp. 639--648, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor. Adaptively Secure Multi-party Computation. 28th Symposium on Theory of Computing (STOC '96), pages 639-648. 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich and M. Naor, Adaptively Secure Multi-party Computation, TR682, LCS/MIT, 1996.

No context found.

R. Canetti, U. Feige, O. Goldreich, M. Naor, Adaptively secure multi-party computation. In Proceedings of the 28th Annual ACM Symposium on the Theory of Computing (May 1996), pp. 639--648.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC