Results 1  10
of
114
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 842 (43 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
How to Go Beyond the BlackBox Simulation Barrier
 In 42nd FOCS
, 2001
"... The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present t ..."
Abstract

Cited by 240 (13 self)
 Add to MetaCart
(Show Context)
The simulation paradigm is central to cryptography. A simulator is an algorithm that tries to simulate the interaction of the adversary with an honest party, without knowing the private input of this honest party. Almost all known simulators use the adversary’s algorithm as a blackbox. We present the first constructions of nonblackbox simulators. Using these new nonblackbox techniques we obtain several results that were previously proven to be impossible to obtain using blackbox simulators. Specifically, assuming the existence of collision resistent hash functions, we construct a new zeroknowledge argument system for NP that satisfies the following properties: 1. This system has a constant number of rounds with negligible soundness error. 2. It remains zero knowledge even when composed concurrently n times, where n is the security parameter. Simultaneously obtaining 1 and 2 has been recently proven to be impossible to achieve using blackbox simulators. 3. It is an ArthurMerlin (public coins) protocol. Simultaneously obtaining 1 and 3 was known to be impossible to achieve with a blackbox simulator. 4. It has a simulator that runs in strict polynomial time, rather than in expected polynomial time. All previously known constantround, negligibleerror zeroknowledge arguments utilized expected polynomialtime simulators.
Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
Abstract

Cited by 155 (34 self)
 Add to MetaCart
(Show Context)
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
Efficient Concurrent ZeroKnowledge in the Auxiliary String Model
, 2000
"... We show that if any oneway function exists, then 3round concurrent zeroknowledge arguments for all NP problems can be built in a model where a short auxiliary string with a prescribed distribution is available to the players. We also show that a wide range of known efficient proofs of knowledge ..."
Abstract

Cited by 130 (2 self)
 Add to MetaCart
We show that if any oneway function exists, then 3round concurrent zeroknowledge arguments for all NP problems can be built in a model where a short auxiliary string with a prescribed distribution is available to the players. We also show that a wide range of known efficient proofs of knowledge using specialized assumptions can be modified to work in this model with no essential loss of efficiency. We argue that the assumptions of the model will be satisfied in many practical scenarios where public key cryptography is used, in particular our construction works given any secure public key infrastructure. Finally, we point out that in a model with preprocessing (and no auxiliary string) proposed earlier, concurrent zeroknowledge for NP can be based on any oneway function.
BlackBox Concurrent ZeroKnowledge Requires (almost) Logarithmically Many Rounds
 SIAM Journal on Computing
, 2002
"... We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bound ..."
Abstract

Cited by 105 (9 self)
 Add to MetaCart
We show that any concurrent zeroknowledge protocol for a nontrivial language (i.e., for a language outside BPP), whose security is proven via blackbox simulation, must use at least ~ \Omega\Gamma/10 n) rounds of interaction. This result achieves a substantial improvement over previous lower bounds, and is the first bound to rule out the possibility of constantround concurrent zeroknowledge when proven via blackbox simulation. Furthermore, the bound is polynomially related to the number of rounds in the best known concurrent zeroknowledge protocol for languages in NP (which is established via blackbox simulation).
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 104 (18 self)
 Add to MetaCart
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Resettable zeroknowledge
, 2000
"... We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each ..."
Abstract

Cited by 80 (6 self)
 Add to MetaCart
(Show Context)
We introduce the notion of Resettable ZeroKnowledge (rZK), a new security measure for cryptographic protocols which strengthens the classical notion of zeroknowledge. In essence, an rZK protocol is one that remains zero knowledge even if an adversary can interact with the prover many times, each time resetting the prover to its initial state and forcing it to use the same random tape. All known examples of zeroknowledge proofs and arguments are trivially breakable in this setting. Moreover, by definition, all zeroknowledge proofs of knowledge are breakable in this setting. Under general complexity assumptions, which hold for example if the Discrete Logarithm Problem is hard, we construct: ffl Resettable ZeroKnowledge proofsystems for NP with nonconstant number of rounds. ffl Fiveround Resettable WitnessIndistinguishable proofsystems for NP. ffl Fourround Resettable ZeroKnowledge arguments for NP in the public key model: where verifiers have fixed, public keys associated with them.
Magic Functions
, 1999
"... We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem. ..."
Abstract

Cited by 77 (1 self)
 Add to MetaCart
We consider three apparently unrelated fundamental problems in distributed computing, cryptography and complexity theory and prove that they are essentially the same problem.
BoundedConcurrent Secure MultiParty Computation with a Dishonest Majority
 In Proc. 36th STOC
, 2004
"... We show how to securely realize any multiparty functionality in a way that preserves security under an apriori bounded number of concurrent executions, regardless of the number of corrupted parties. Previous protocols for the above task either rely on setup assumptions such as a Common Reference ..."
Abstract

Cited by 69 (19 self)
 Add to MetaCart
(Show Context)
We show how to securely realize any multiparty functionality in a way that preserves security under an apriori bounded number of concurrent executions, regardless of the number of corrupted parties. Previous protocols for the above task either rely on setup assumptions such as a Common Reference String, or require an honest majority. Our constructions are in the plain model and rely on standard intractability assumptions (enhanced trapdoor permutations and collision resistant hash functions). Even though our main focus is on feasibility of concurrent multiparty computation we actually obtain a protocol using only a constant number of communication rounds. As a consequence our protocol yields the first construction of constantround standalone secure multiparty computation with a dishonest majority, proven secure under standard (polynomialtime) hardness assumptions; previous solutions to this task either require logarithmic roundcomplexity, or subexponential hardness assumptions. The core of our protocol is a novel construction of (concurrently) simulationsound zeroknowledge protocols, which might be of independent interest. Finally, we extend the framework constructed to give a protocol for secure multiparty (and thus twoparty) computation for any number of corrupted parties, which remains secure even when arbitrary subsets of parties concurrently execute the protocol, possibly with interchangeable roles. As far as we know, for the case of twoparty or multiparty protocols with a dishonest majority, this is the first positive result for any nontrivial functionality which achieves this property in the plain model.
Concurrent ZeroKnowledge: Reducing the Need for Timing Constraints
 In Crypto98, Springer LNCS 1462
, 1998
"... Abstract. An interactive proof system (or argument) (P, V)isconcurrent zeroknowledge if whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers V1,...,Vpoly(n), the entire undertaking is zeroknowledge. D ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
(Show Context)
Abstract. An interactive proof system (or argument) (P, V)isconcurrent zeroknowledge if whenever the prover engages in polynomially many concurrent executions of (P, V), with (possibly distinct) colluding polynomial time bounded verifiers V1,...,Vpoly(n), the entire undertaking is zeroknowledge. Dwork, Naor, and Sahai recently showed the existence of a large class of concurrent zeroknowledge arguments, including arguments for all of NP, under a reasonable assumption on the behavior of clocks of nonfaulty processors. In this paper, we continue the study of concurrent zeroknowledge arguments. After observing that, without recourse to timing, the existence of a trusted center considerably simplifies the design and proof of many concurrent zeroknowledge arguments (again including arguments for all of NP), we design a preprocessing protocol protocol, making use of timing, to simulate the trusted center for the purposes of achieving concurrent zeroknowledge. Once a particular prover and verifier have executed the preprocessing protocol protocol, any polynomial number of subsequent executions of a rich class of protocols will be concurrent zeroknowledge. 1