R. Canetti, "Modular Composition of Multi-party Cryptographic Protocols", this special issue.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....inputs and the output of the computation. Correctness means that the adversary cannot prevent the uncorrupted players from learning the correct output. Furthermore, robustness means that once the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party ....

....(t a ,t p ) secure) if any (t a ,t p ,t f ) adversary (or (t a ,t p ) adversary) obtains no additional information about the non corrupted players inputs (beyond what is provided by the function output) and cannot falsify the outcome of the computation. For a precise definition of security, see [Can97,Can98]. In this paper, we consider information theoretic security, i.e. the adversary can use unlimited computational resources. Players are connected pairwise by secure communication channels in a synchronous network. The necessary and su#cient conditions for secure multi party computation to be ....

[Article contains additional citation context not shown here]

R. Canetti. Modular composition of multi-party cryptographic protocols, Nov. 1997. Manuscript.

....inputs and the output of the computation. Correctness means that the adversary cannot prevent the uncorrupted players from learning the correct output. Furthermore, robustness means that once the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party ....

....a ; t p ) secure) if any (t a ; t p ; t f ) adversary (or (t a ; t p ) adversary) obtains no additional information about the non corrupted players inputs (beyond what is provided by the function output) and cannot falsify the outcome of the computation. For a precise definition of security, see [Can97,Can98]. In this paper, we consider information theoretic security, i.e. the adversary can use unlimited computational resources. Players are connected pairwise by secure communication channels in a synchronous network. The necessary and sufficient conditions for secure multi party computation to be ....

[Article contains additional citation context not shown here]

R. Canetti. Modular composition of multi-party cryptographic protocols, Nov. 1997. Manuscript.

....inputs and the output of the computation. Correctness means that the adversary cannot prevent the uncorrupted players from learning the correct output. Furthermore, robustness means that once the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party ....

....a ; t p ) secure) if any (t a ; t p ; t f ) adversary (or (t a ; t p ) adversary) obtains no additional information about the non corrupted players inputs (beyond what is provided by the function output) and cannot falsify the outcome of the computation. For a precise definition of security, see [Can97,Can98]. In this paper, we consider information theoretic security, i.e. the adversary can use unlimited computational resources. Players are connected pairwise by secure communication channels in a synchronous network. The necessary and sufficient conditions for secure multi party computation to be ....

[Article contains additional citation context not shown here]

R. Canetti. Modular composition of multi-party cryptographic protocols, Nov. 1997. Manuscript.

....inputs and the output of the computation. Correctness means that the adversary cannot prevent the uncorrupted players from learning the correct output. Furthermore, robustness means that once the inputs have been committed by the players, the adversary cannot stop the computation. We refer to [Can97,Can98] for a precise definition of security in multi party computation. The types of tolerable adversaries have recently been generalized in a number of directions (adaptive adversaries [CFGN96] uncoercibility [CG96] non threshold adversaries [HM97] and some authors have investigated multi party ....

....a ; t p ) secure) if any (t a ; t p ; t f ) adversary (or (t a ; t p ) adversary) obtains no additional information about the non corrupted players inputs (beyond what is provided by the function output) and cannot falsify the outcome of the computation. For a precise definition of security, see [Can97,Can98]. In this paper, we consider information theoretic security, i.e. the adversary can use unlimited computational resources. Players are connected pairwise by secure communication channels in a synchronous network. The necessary and sufficient conditions for secure multi party computation to be ....

[Article contains additional citation context not shown here]

R. Canetti. Modular composition of multi-party cryptographic protocols, Nov. 1997. Manuscript.

No context found.

R. Canetti, "Modular Composition of Multi-party Cryptographic Protocols", this special issue.

....require at least t parties to use randomness, and that in some cases, such as the XOR function, t is sufficient. The Protocols Composition Technique. To show the security of our protocols, we use general definitions of secure multiparty protocols. In particular, we use the formalization of [11], which allows modular composition of secure protocols. This formalization is based on the [3] approach. That is, in order to avoid re proving the security of the [6] construction from scratch, we separately prove the security of the overall design of our protocol, assuming that the [6] modules ....

....construction from scratch, we separately prove the security of the overall design of our protocol, assuming that the [6] modules for secret sharing and for evaluating individual gates are secure. We then conclude that the composition of our overall design with the [6] modules is secure using the [11] composition theorem. We remark that a formal proof of security for [6] was never published. It can be inferred, say, from the security proof of [5] as it appears in [12] The modular proof technique used here can be applied also to proving the security of the [6] protocol itself. Organization. ....

[Article contains additional citation context not shown here]

R. Canetti, "Modular Composition of Multi-party Cryptographic Protocols", Available at the Theory of Cryptography Library, http://theory.lcs.mit.edu/~tcryptol, 1998. manuscript (available from the author), 1998.

....of protocol ae i , securely computes g from scratch. This paper concentrates on the non concurrent case, where only a single subroutine invocation is in execution at any given time. The more general case, where several subroutine invocations may be running at the same time, is dealt with in [8], and requires a stronger notion of security of protocols. A sketch of this stronger notion appears in Appendix A. Several other composition methods for protocols are considered in the literature. For instance, 4 sequential composition usually means simply running two (secure) protocols one ....

....completed. A natural generalization of the definition, dealing with the case where several subroutine calls are running concurrently, would allow P to interact with the adversary (both in real life and in the ideal process) also during the run of the protocol. This generalization is addressed in [8]. Note that Definition 10 lets the ideal process adversary S depend on the post protocol corruptor P . As noted in Remark 4 (Section 3.1.1) this apparent relaxation is of no technical consequence. Yet, it may help prove security of protocols. Finally, we remark that a notion of post protocol ....

R. Canetti, "Modular composition of multi-party cryptographic protocols: The concurrent case", in preparation.

....require at least t parties to use randomness, and that in some cases, such as the XOR function, t is sufficient. The Protocol Composition Technique. To show the security of our protocols, we use general definitions of secure multiparty protocols. In particular, we use the formalization of [C99], which allows modular composition of secure protocols. This formalization is based on the [B91a, B91b] approach. That is, in order to avoid reproving the security of the [BGW88] construction from scratch, we separately prove the security of the overall design of our protocol, assuming that the ....

....That is, in order to avoid reproving the security of the [BGW88] construction from scratch, we separately prove the security of the overall design of our protocol, assuming that the [BGW88] modules for secret sharing and for evaluating individual gates are secure. We then conclude, using the [C99] composition theorem, that the composition of our overall design with the [BGW88] modules is secure. For self containment we also sketch a proof of security of our protocol for passive adversaries, without relying on [C99] We remark that a formal proof of security for [BGW88] was never ....

[Article contains additional citation context not shown here]

R. Canetti, "Modular Composition of Multi-party Cryptographic Protocols", this special issue.

....as the main general tool for modular protocol design. This paper concentrates on the non concurrent case, where only a single subroutine invocation is in execution at any given time. The more general case, where several subroutine invocations may be running at the same time, will be dealt with in [8], and seems to require a stronger notion of security of protocols. We formalize and prove the above theorem for the settings described above (i.e. non adaptive, adaptive, passive, active adversaries in the secure channels and computational settings) In particular, this is the first time a ....

R. Canetti, "Modular composition of multi-party cryptographic protocols: The concurrent case", in preparation.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC