Results 1  10
of
102
Sharemind: a framework for fast privacypreserving computations. Cryptology ePrint Archive, Report 2008/289
, 2008
"... Abstract. Gathering and processing sensitive data is a difficult task. In fact, there is no common recipe for building the necessary information systems. In this paper, we present a provably secure and efficient generalpurpose computation system to address this problem. Our solution—SHAREMIND—is a ..."
Abstract

Cited by 93 (16 self)
 Add to MetaCart
(Show Context)
Abstract. Gathering and processing sensitive data is a difficult task. In fact, there is no common recipe for building the necessary information systems. In this paper, we present a provably secure and efficient generalpurpose computation system to address this problem. Our solution—SHAREMIND—is a virtual machine for privacypreserving data processing that relies on share computing techniques. This is a standard way for securely evaluating functions in a multiparty computation environment. The novelty of our solution is in the choice of the secret sharing scheme and the design of the protocol suite. We have made many practical decisions to make largescale share computing feasible in practice. The protocols of SHAREMIND are informationtheoretically secure in the honestbutcurious model with three computing participants. Although the honestbutcurious model does not tolerate malicious participants, it still provides significantly increased privacy preservation when compared to standard centralised databases. 1
Universally composable multiparty computation using tamperproof hardware
 In EUROCRYPT, Lecture Notes in Computer Science
, 2007
"... Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted r ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted researchers to propose various “setup assumptions ” with which to augment the bare UC framework in order to bypass this severe negative result. Existing setup assumptions seem to inherently require some trusted party (or parties) to initialize the setup in the real world. We propose a new setup assumption — more along the lines of a physical assumption regarding the existence of tamperproof hardware — which also suffices to circumvent the impossibility result mentioned above. We suggest this assumption as potentially leading to an approach that might alleviate the need for trusted parties, and compare our assumption to those proposed previously. 1
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
General Composition and Universal Composability in Secure Multiparty Computation
, 2007
"... Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Ca ..."
Abstract

Cited by 53 (9 self)
 Add to MetaCart
(Show Context)
Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Canetti (FOCS 2001) introduced the notion of universal composability, and showed that security under this definition is sufficient for achieving concurrent generalcomposition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (Innewer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all itsvariants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of twoparty functionalities for whichit is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not &quot;blackbox&quot;, andapply even to nonblackbox simulation. Our main result also demonstrates that the definition of universal composability is somewhat&quot;minimal&quot;, in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is notoverly restrictive.
Universally Composable PasswordBased Key Exchange
 Advances in Cryptology  Eurocrypt 2005, LNCS
, 2005
"... We propose and realize a definition of security for passwordbased key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not ad ..."
Abstract

Cited by 49 (9 self)
 Add to MetaCart
(Show Context)
We propose and realize a definition of security for passwordbased key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For instance, our definition does not assume any underlying probability distribution on passwords, nor does it assume independence between passwords chosen by different parties. We also formulate a definition of passwordbased secure channels, and show how to realize such channels given any passwordbased key exchange protocol. The passwordbased key exchange protocol shown here is in the common reference string model and relies on standard numbertheoretic assumptions. The components of our protocol can be instantiated to give a relatively efficient solution which is conceivably usable in practice. We also show that it is impossible to satisfy our definition in the “plain ” model (e.g., without
Protocols for BoundedConcurrent Secure TwoParty Computation in the Plain Model
, 2006
"... Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrent ..."
Abstract

Cited by 48 (7 self)
 Add to MetaCart
(Show Context)
Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrently, and there is a predetermined bound on the number of concurrent executions. In short, we show that any twoparty functionality can be securely computed under boundedconcurrent selfcomposition, in the
BoundedConcurrent Secure TwoParty Computation in a Constant Number of Rounds
 In 44th FOCS
, 2003
"... We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is construct ..."
Abstract

Cited by 45 (15 self)
 Add to MetaCart
(Show Context)
We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is constructed (a.k.a. bounded concurrency). We make no setup assumptions. Lindell (STOC 2003) has shown that any protocol for boundedconcurrent secure twoparty computation, whose security is established via blackbox simulation, must have round complexity that is strictly larger than the bound on the number of concurrent sessions. In this paper, we construct a (non blackbox) protocol for realizing boundedconcurrent secure twoparty computation in a constant number of rounds. The only previously known protocol for realizing the above task required more rounds than the prespecified bound on the number of sessions (despite usage of non blackbox simulation techniques). Our constructions rely on the existence of enhanced trapdoor permutations, as well as on the existence of hash functions that are collisionresistant against subexponential sized circuits. 1
Lower bounds for nonblackbox zero knowledge
 In 44th FOCS
, 2003
"... We show new lower bounds and impossibility results for general (possibly nonblackbox) zeroknowledge proofs and arguments. Our main results are that, under reasonable complexity assumptions: 1. There does not exist a tworound zeroknowledge proof system with perfect completeness for an NPcomplet ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
(Show Context)
We show new lower bounds and impossibility results for general (possibly nonblackbox) zeroknowledge proofs and arguments. Our main results are that, under reasonable complexity assumptions: 1. There does not exist a tworound zeroknowledge proof system with perfect completeness for an NPcomplete language. The previous impossibility result for tworound zero knowledge, by Goldreich and Oren (J. Cryptology, 1994) was only for the case of auxiliaryinput zeroknowledge proofs and arguments. 2. There does not exist a constantround zeroknowledge strong proof or argument of knowledge (as defined by Goldreich (2001)) for a nontrivial language. 3. There does not exist a constantround publiccoin proof system for a nontrivial language that is resettable zero knowledge. This result also extends to boundedresettable zero knowledge, in which the number of resets is a priori bounded by a polynomial in the input length and provertoverifier communication.
Secure Computation Without Authentication
 In CRYPTO 2005, SpringerVerlag (LNCS 3621
, 2005
"... Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthent ..."
Abstract

Cited by 30 (10 self)
 Add to MetaCart
(Show Context)
Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the honest parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticatedchannel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in itself, and also independent of the computation in the other sets. In the basic setting our construction provides, for the first time, nontrivial security guarantees in a model with no setup assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including passwordbased authenticated key exchange and nonmalleable commitments. As an application of our results, we study the question of constructing secure protocols in partiallyauthenticated networks, where some of the links are authenticated and some are not (as is the case in most networks today).
General security definition and composability for quantum & classical protocols
, 2004
"... Abstract. We generalize the universally composable definition of Canetti to the Quantum World. The basic idea is the same as in the classical world. However, we unfold the result in a new model which is adapted to quantum protocols, and also simplify some aspects of the classical case. ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
Abstract. We generalize the universally composable definition of Canetti to the Quantum World. The basic idea is the same as in the classical world. However, we unfold the result in a new model which is adapted to quantum protocols, and also simplify some aspects of the classical case.