Results 11  20
of
827
Universally Composable Notions of Key Exchange and Secure Channels
, 2002
"... Abstract. Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for keyexchange (ke) protocols, called SKsecurity, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability p ..."
Abstract

Cited by 123 (11 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for keyexchange (ke) protocols, called SKsecurity, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability properties of SKsecure ke protocols. We show that while the notion of SKsecurity is strictly weaker than a fullyidealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SKsecurity guarantees the security of the key for any application that desires to setup secret keys between pairs of parties. We also provide new definitions of securechannels protocols with similarly strong composability properties, and show that SKsecurity suffices for obtaining these definitions. To obtain these results we use the recently proposed framework of “universally composable (UC) security. ” We also use a new tool, called “noninformation oracles, ” which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishabilitybased definitions such as SKsecurity and more powerful, simulationbased definitions, such as UC security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a fullfledged multisession keyexchange protocol to the (simpler) analysis of individual, standalone, keyexchange sessions.
Inputindistinguishable computation
"... We put forward a first definition of general secure computation that, without any trusted setup, â¢ handles an arbitrary number of concurrent executions; and â¢ is implementable based on standard complexity assumptions. In contrast to previous definitions of secure computation, ours is not simula ..."
Abstract

Cited by 120 (8 self)
 Add to MetaCart
We put forward a first definition of general secure computation that, without any trusted setup, â¢ handles an arbitrary number of concurrent executions; and â¢ is implementable based on standard complexity assumptions. In contrast to previous definitions of secure computation, ours is not simulationbased.
Secure multiparty computation of approximations
, 2001
"... Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the ..."
Abstract

Cited by 108 (25 self)
 Add to MetaCart
Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations. We start by extending standard definitions of secure (exact) computation to the setting of secure approximations. Our definitions guarantee that no additional information is revealed by the approximation beyond what follows from the output of the function being approximated. We then study the complexity of specific secure approximation problems. In particular, we obtain a sublinearcommunication protocol for securely approximating the Hamming distance and a polynomialtime protocol for securely approximating the permanent and related #Phard problems. 1
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 103 (18 self)
 Add to MetaCart
(Show Context)
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Soundness of formal encryption in the presence of active adversaries
 In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS
, 2004
"... Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties ..."
Abstract

Cited by 97 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a DolevYao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1
MerkleDamg˚ard Revisited: How to Construct a Hash Function
 Advances in Cryptology, Crypto 2005
"... The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than col ..."
Abstract

Cited by 96 (8 self)
 Add to MetaCart
(Show Context)
The most common way of constructing a hash function (e.g., SHA1) is to iterate a compression function on the input message. The compression function is usually designed from scratch or made out of a blockcipher. In this paper, we introduce a new security notion for hashfunctions, stronger than collisionresistance. Under this notion, the arbitrary length hash function H must behave as a random oracle when the fixedlength building block is viewed as a random oracle or an ideal blockcipher. The key property is that if a particular construction meets this definition, then any cryptosystem proven secure assuming H is a random oracle remains secure if one plugs in this construction (still assuming that the underlying fixedlength primitive is ideal). In this paper, we show that the current design principle behind hash functions such as SHA1 and MD5 — the (strengthened) MerkleDamg˚ard transformation — does not satisfy this security notion. We provide several constructions that provably satisfy this notion; those new constructions introduce minimal changes to the plain MerkleDamg˚ard construction and are easily implementable in practice.
Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2004
"... Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to anot ..."
Abstract

Cited by 96 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that indifferentiability is the necessary and sufficient condition on two systems S and T such that the security of any cryptosystem using T as a component is not affected when T is substituted by S. In contrast to indistinguishability, indifferentiability is applicable in settings where a possible adversary is assumed to have access to additional information about the internal state of the involved systems, for instance the public parameter selecting a member from a family of hash functions. Third, we state an easily verifiable criterion for a system U not to be reducible (according to our generalized definition) to another system V and, as an application, prove that a random oracle is not reducible to a weaker primitive, called asynchronous beacon, and also that an asynchronous beacon is not reducible to a finitelength random string. Each of these irreducibility results alone implies the main theorem of Canetti, Goldreich and Halevi stating that there exist cryptosystems that are secure in the random oracle model but for which replacing the random oracle by any implementation leads to an insecure cryptosystem. Key words. Indistinguishability, reductions, indifferentiability, security proofs, random oracle methodology, hash functions.
Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case
 IN PROCEEDINGS OF CRYPTO ’02, LNCS SERIES
, 2002
"... We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. n ..."
Abstract

Cited by 95 (3 self)
 Add to MetaCart
We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. noninteractive noncommitting encryption. This separation between the models is due to the socalled programability of the random oracle. We show this by providing a formulation of the RO model in which the oracle is not programmable, and showing that in this model, there does not exist noninteractive noncommitting encryption.
Sharemind: a framework for fast privacypreserving computations. Cryptology ePrint Archive, Report 2008/289
, 2008
"... Abstract. Gathering and processing sensitive data is a difficult task. In fact, there is no common recipe for building the necessary information systems. In this paper, we present a provably secure and efficient generalpurpose computation system to address this problem. Our solution—SHAREMIND—is a ..."
Abstract

Cited by 95 (16 self)
 Add to MetaCart
(Show Context)
Abstract. Gathering and processing sensitive data is a difficult task. In fact, there is no common recipe for building the necessary information systems. In this paper, we present a provably secure and efficient generalpurpose computation system to address this problem. Our solution—SHAREMIND—is a virtual machine for privacypreserving data processing that relies on share computing techniques. This is a standard way for securely evaluating functions in a multiparty computation environment. The novelty of our solution is in the choice of the secret sharing scheme and the design of the protocol suite. We have made many practical decisions to make largescale share computing feasible in practice. The protocols of SHAREMIND are informationtheoretically secure in the honestbutcurious model with three computing participants. Although the honestbutcurious model does not tolerate malicious participants, it still provides significantly increased privacy preservation when compared to standard centralised databases. 1