Results 1  10
of
51
How to Go Beyond the BlackBox Simulation Barrier
 In 42nd FOCS
, 2001
"... The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present t ..."
Abstract

Cited by 240 (13 self)
 Add to MetaCart
The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present the first constructions of nonblackbox simulators. Using these new nonblackbox techniques we obtain several results that were previously proven to be impossible to obtain using blackbox simulators. Specifically, assuming the existence of collision resistent hash functions, we construct a new zeroknowledge argument system for NP that satisfies the following properties: 1. This system has a constant number of rounds with negligible soundness error. 2. It remains zero knowledge even when composed concurrently n times, where n is the security parameter. Simultaneously obtaining 1 and 2 has been recently proven to be impossible to achieve using blackbox simulators. 3. It is an ArthurMerlin (public coins) protocol. Simultaneously obtaining 1 and 3 was known to be impossible to achieve with a blackbox simulator. 4. It has a simulator that runs in strict polynomial time, rather than in expected polynomial time. All previously known constantround, negligibleerror zeroknowledge arguments utilized expected polynomialtime simulators.
An efficient protocol for secure twoparty computation in the presence of malicious adversaries
 In Proceedings of the annual international conference on Advances in Cryptology
, 2007
"... Abstract. We show an efficient secure twoparty protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semihonest adversaries. Security against malicious adversaries can be obtained by applying the comp ..."
Abstract

Cited by 118 (14 self)
 Add to MetaCart
(Show Context)
Abstract. We show an efficient secure twoparty protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semihonest adversaries. Security against malicious adversaries can be obtained by applying the compiler of Goldreich, Micali and Wigderson (the “GMW compiler”). However, this approach does not seem to be very practical as it requires using generic zeroknowledge proofs. Our construction is based on applying cutandchoose techniques to the original circuit and inputs. Security is proved according to the ideal/real simulation paradigm, and the proof is in the standard model (with no random oracle model or common reference string assumptions). The resulting protocol is computationally efficient: the only usage of asymmetric cryptography is for running O(1) oblivious transfers for each input bit (or for each bit of a statistical security parameter, whichever is larger). Our protocol combines techniques from folklore (like cutandchoose) along with new techniques for efficiently proving consistency of inputs. We remark that a naive implementation of the cutandchoose technique with Yao’s protocol does not yield a secure protocol. This is the first paper to show how to properly implement these techniques, and to provide a full proof of security. Our protocol can also be interpreted as a constantround blackbox reduction of secure twoparty computation to oblivious transfer and perfectlyhiding commitments, or a blackbox reduction of secure twoparty computation to oblivious transfer alone, with a number of rounds which is linear in a statistical security parameter. These two reductions are comparable to Kilian’s reduction, which uses OT alone but incurs a number of rounds which is linear in the depth of the circuit [18]. 1
Parallel CoinTossing and ConstantRound Secure TwoParty Computation
 Journal of Cryptology
, 2001
"... Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that e ..."
Abstract

Cited by 79 (13 self)
 Add to MetaCart
Abstract. In this paper we show that any twoparty functionality can be securely computed in a constant number of rounds, where security is obtained against malicious adversaries that may arbitrarily deviate from the protocol specification. This is in contrast to Yao’s constantround protocol that ensures security only in the face of semihonest adversaries, and to its malicious adversary version that requires a polynomial number of rounds. In order to obtain our result, we present a constantround protocol for secure cointossing of polynomially many coins (in parallel). We then show how this protocol can be used in conjunction with other existing constructions in order to obtain a constantround protocol for securely computing any twoparty functionality. On the subject of cointossing, we also present a constantround perfect cointossing protocol, where by “perfect ” we mean that the resulting coins are guaranteed to be statistically close to uniform (and not just pseudorandom). 1
ConstantRound CoinTossing With a Man in the Middle or Realizing the Shared Random String Model
 In 43rd FOCS
, 2002
"... We construct the first constantround nonmalleable commitment scheme and the first constantround nonmalleable zeroknowledge argument system, as defined by Dolev, Dwork and Naor. Previous constructions either used a nonconstant number of rounds, or were only secure under stronger setup assumption ..."
Abstract

Cited by 71 (4 self)
 Add to MetaCart
(Show Context)
We construct the first constantround nonmalleable commitment scheme and the first constantround nonmalleable zeroknowledge argument system, as defined by Dolev, Dwork and Naor. Previous constructions either used a nonconstant number of rounds, or were only secure under stronger setup assumptions. An example of such an assumption is the shared random string model where we assume all parties have access to a reference string that was chosen uniformly at random by a trusted dealer. We obtain these results by defining an adequate notion of nonmalleable cointossing, and presenting a constantround protocol that satisfies it. This protocol allows us to transform protocols that are nonmalleable in (a modified notion of) the shared random string model into protocols that are nonmalleable in the plain model (without any trusted dealer or setup assumptions). Observing that known constructions of a noninteractive nonmalleable zeroknowledge argument systems in the shared random string model are in fact nonmalleable in the modified model, and combining them with our cointossing protocol we obtain the results mentioned above. The techniques we use are different from those used in previous constructions of nonmalleable protocols. In particular our protocol uses diagonalization and a nonblackbox proof of security (in a sense similar to Barak’s zeroknowledge argument).
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 62 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
New and improved constructions of nonmalleable cryptographic protocols
 In 37th Annual ACM Symposium on Theory of Computing
, 2005
"... We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions eith ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
We present a new constant round protocol for nonmalleable zeroknowledge. Using this protocol as a subroutine, we obtain a new constantround protocol for nonmalleable commitments. Our constructions rely on the existence of (standard) collision resistant hash functions. Previous constructions either relied on the existence of trapdoor permutations and hash functions that are collision resistant against subexponential sized circuits, or required a superconstant number of rounds. Additional results are the first construction of a nonmalleable commitment scheme that is statistically hiding (with respect to opening), and the first nonmalleable commitments that satisfy a strict polynomialtime simulation requirement. Our approach differs from the approaches taken in previous works in that we view nonmalleable zeroknowledge as a buildingblock rather than an end goal. This gives rise to a modular construction of nonmalleable commitments and results in a somewhat simpler analysis.
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
Protocols for BoundedConcurrent Secure TwoParty Computation in the Plain Model
, 2006
"... Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrent ..."
Abstract

Cited by 48 (7 self)
 Add to MetaCart
(Show Context)
Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrently, and there is a predetermined bound on the number of concurrent executions. In short, we show that any twoparty functionality can be securely computed under boundedconcurrent selfcomposition, in the
BoundedConcurrent Secure TwoParty Computation in a Constant Number of Rounds
 In 44th FOCS
, 2003
"... We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is construct ..."
Abstract

Cited by 45 (15 self)
 Add to MetaCart
(Show Context)
We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is constructed (a.k.a. bounded concurrency). We make no setup assumptions. Lindell (STOC 2003) has shown that any protocol for boundedconcurrent secure twoparty computation, whose security is established via blackbox simulation, must have round complexity that is strictly larger than the bound on the number of concurrent sessions. In this paper, we construct a (non blackbox) protocol for realizing boundedconcurrent secure twoparty computation in a constant number of rounds. The only previously known protocol for realizing the above task required more rounds than the prespecified bound on the number of sessions (despite usage of non blackbox simulation techniques). Our constructions rely on the existence of enhanced trapdoor permutations, as well as on the existence of hash functions that are collisionresistant against subexponential sized circuits. 1
Lower bounds for nonblackbox zero knowledge
 In 44th FOCS
, 2003
"... We show new lower bounds and impossibility results for general (possibly nonblackbox) zeroknowledge proofs and arguments. Our main results are that, under reasonable complexity assumptions: 1. There does not exist a tworound zeroknowledge proof system with perfect completeness for an NPcomplet ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
(Show Context)
We show new lower bounds and impossibility results for general (possibly nonblackbox) zeroknowledge proofs and arguments. Our main results are that, under reasonable complexity assumptions: 1. There does not exist a tworound zeroknowledge proof system with perfect completeness for an NPcomplete language. The previous impossibility result for tworound zero knowledge, by Goldreich and Oren (J. Cryptology, 1994) was only for the case of auxiliaryinput zeroknowledge proofs and arguments. 2. There does not exist a constantround zeroknowledge strong proof or argument of knowledge (as defined by Goldreich (2001)) for a nontrivial language. 3. There does not exist a constantround publiccoin proof system for a nontrivial language that is resettable zero knowledge. This result also extends to boundedresettable zero knowledge, in which the number of resets is a priori bounded by a polynomial in the input length and provertoverifier communication.