Results 1  10
of
47
On Deniability in the Common Reference String and Random Oracle Model
 In proceedings of CRYPTO ’03, LNCS series
, 2003
"... Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there ..."
Abstract

Cited by 62 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the definitions of zeroknowledge in the Common Reference String (CRS) model and the Random Oracle (RO) model. We argue that even though these definitions syntactically mimic the standard zeroknowledge definition, they loose some of its spirit. In particular, we show that there exist a specific natural security property that is not captured by these definitions. This is the property of deniability. We formally define the notion of deniable zeroknowledge in these models and investigate the possibility of achieving it. Our results are different for the two models: – Concerning the CRS model, we rule out the possibility of achieving deniable zeroknowledge protocols in “natural ” settings where such protocols cannot already be achieved in plain model. – In the RO model, on the other hand, we construct an efficient 2round deniable zeroknowledge argument of knowledge, that preserves both the zeroknowledge property and the proof of knowledge property under concurrent executions (concurrent zeroknowledge and concurrent proofof knowledge). 1
General Composition and Universal Composability in Secure Multiparty Computation
, 2007
"... Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Ca ..."
Abstract

Cited by 53 (9 self)
 Add to MetaCart
Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Canetti (FOCS 2001) introduced the notion of universal composability, and showed that security under this definition is sufficient for achieving concurrent generalcomposition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (Innewer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all itsvariants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of twoparty functionalities for whichit is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not &quot;blackbox&quot;, andapply even to nonblackbox simulation. Our main result also demonstrates that the definition of universal composability is somewhat&quot;minimal&quot;, in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is notoverly restrictive.
Protocols for BoundedConcurrent Secure TwoParty Computation in the Plain Model
, 2006
"... Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrent ..."
Abstract

Cited by 48 (7 self)
 Add to MetaCart
(Show Context)
Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrently, and there is a predetermined bound on the number of concurrent executions. In short, we show that any twoparty functionality can be securely computed under boundedconcurrent selfcomposition, in the
BoundedConcurrent Secure TwoParty Computation in a Constant Number of Rounds
 In 44th FOCS
, 2003
"... We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is construct ..."
Abstract

Cited by 45 (15 self)
 Add to MetaCart
(Show Context)
We consider the problem of constructing a general protocol for secure twoparty computation in a way that preserves security under concurrent composition. In our treatment, we focus on the case where an apriori bound on the number of concurrent sessions is specified before the protocol is constructed (a.k.a. bounded concurrency). We make no setup assumptions. Lindell (STOC 2003) has shown that any protocol for boundedconcurrent secure twoparty computation, whose security is established via blackbox simulation, must have round complexity that is strictly larger than the bound on the number of concurrent sessions. In this paper, we construct a (non blackbox) protocol for realizing boundedconcurrent secure twoparty computation in a constant number of rounds. The only previously known protocol for realizing the above task required more rounds than the prespecified bound on the number of sessions (despite usage of non blackbox simulation techniques). Our constructions rely on the existence of enhanced trapdoor permutations, as well as on the existence of hash functions that are collisionresistant against subexponential sized circuits. 1
Computational Differential Privacy
"... The definition of differential privacy has recently emerged as a leading standard of privacy guarantees for algorithms on statistical databases. We offer several relaxations of the definition which require privacy guarantees to hold only against efficient—i.e., computationallybounded—adversaries. W ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
The definition of differential privacy has recently emerged as a leading standard of privacy guarantees for algorithms on statistical databases. We offer several relaxations of the definition which require privacy guarantees to hold only against efficient—i.e., computationallybounded—adversaries. We establish various relationships among these notions, and in doing so, we observe their close connection with the theory of pseudodense sets by Reingold et al. [1]. We extend the dense model theorem of Reingold et al. to demonstrate equivalence between two definitions (indistinguishability and simulatabilitybased) of computational differential privacy. Our computational analogues of differential privacy seem to allow for more accurate constructions than the standard informationtheoretic analogues. In particular, in the context of private approximation of the distance between two vectors, we present a differentiallyprivate protocol for computing the approximation, and contrast it with a substantially more accurate protocol that is only computationally differentially private.
New Notions of Security: Achieving Universal Composability without Trusted Setup
"... We propose a modification to the framework of Universally Composable (UC) security [3]. Our new notion involves comparing the real protocol execution with an ideal execution involving ideal functionalities (just as in UCsecurity), but allowing the environment and adversary access to some superpoly ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
(Show Context)
We propose a modification to the framework of Universally Composable (UC) security [3]. Our new notion involves comparing the real protocol execution with an ideal execution involving ideal functionalities (just as in UCsecurity), but allowing the environment and adversary access to some superpolynomial computational power. We argue the meaningfulness of the new notion, which in particular subsumes many of the traditional notions of security. We generalize the Universal Composition theorem of [3] to the new setting. Then under new computational assumptions, we realize secure multiparty computation (for static adversaries) without a common reference string or any other setup assumptions, in the new framework. This is known to be impossible under the UC framework.
How to play almost any mental game over the net  concurrent composition via superpolynomial simulation
 In Proceedings of the 46th Annual Symposium on Foundations of Computer Science  FOCS’05
, 2005
"... We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted parties, common reference string, honest majority or synchronicity of the network. The relaxation of security is obtained by allowing the idealmodel simulator to run in quaipolynomial (as opposed to polynomial) time. Quasipolynomial simulation suffices to ensure security for most applications of multiparty computation. Furthermore, Lindell (FOCS ’03, TCC ’ 04) recently showed that such a protocol is impossible to obtain under the more standard definition of polynomialtime simulation by an ideal adversary.
Constantround concurrent zero knowledge from falsifiable assumptions
, 2012
"... We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly s ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali’s noninteractive CSproofs are sound for languages in P.
Functional encryption: New perspectives and lower bounds
 Advances in Cryptology – CRYPTO ’13
, 2013
"... Functional encryption is an emerging paradigm for publickey encryption that enables finegrained control of access to encrypted data. In this work, we present new perspectives on security definitions for functional encryption, as well as new lower bounds on what can be achieved. Our main contributio ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Functional encryption is an emerging paradigm for publickey encryption that enables finegrained control of access to encrypted data. In this work, we present new perspectives on security definitions for functional encryption, as well as new lower bounds on what can be achieved. Our main contributions are as follows: • We show a lower bound for functional encryption that satisfies a weak (nonadaptive) simulationbased security notion, via pseudorandom functions. This is the first lower bound that exploits unbounded collusions in an essential way. • We put forth and discuss a simulationbased notion of security for functional encryption, with an unbounded simulator (called USIM). We show that this notion interpolates indistinguishability and simulationbased security notions, and has strong correlations to results and barriers in the zeroknowledge and multiparty computation literature.