Results 1  10
of
42
Commitment Capacity of Discrete Memoryless Channels
 In: Cryptography and Coding. LNCS
, 2003
"... In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum e ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
(Show Context)
In extension of the bit commitment task and following work initiated by Crépeau and Kilian, we introduce and solve the problem of characterising the optimal rate at which a discrete memoryless channel can be used for bit commitment. It turns out that the answer is very intuitive: it is the maximum equivocation of the channel (after removing trivial redundancy), even when unlimited noiseless bidirectional side communication is allowed. By a wellknown reduction, this result provides a lower bound on the channels capacity for implementing coin tossing, which we conjecture to be an equality. The method of proving this...
Oblivious transfer in the bounded storage model
 In Advances in Cryptology  CRYPTO 2001
, 2001
"... Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any rece ..."
Abstract

Cited by 25 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Building on a previous important work of Cachin, Crépeau, and Marcil � [15], we present a provably secure and more efficient protocolOblivious Transfer with a storagebounded receiver. A public ranfor �2 1 dom string of n bits long is employed, and the protocol is secure against any receiver who can store γn bits, γ<1. Our work improves the work of CCM [15] in two ways. First, the CCM protocol requires the sender and receiver to store O(n c) bits, c ∼ 2/3. We give a similar but more efficient protocol that just requires the sender and receiver to store O ( √ kn) bits, where k is a security parameter. Second, the basic CCM Protocol was proved in [15] to guarantee that a dishonest receiver who can store O(n) bits succeeds with probability at most O(n −d), d ∼ 1/3, although repitition of the protocol can make this probability of cheating exponentially small [20]. Combining the methodologies of [24] and [15], we prove that in our protocol, a dishonest storagebounded receiver succeeds with probability only 2 −O(k) , without repitition of the protocol. Our results answer an open problem raised by CCM in the affirmative. 1
A twoserver, sealedbid auction protocol
 In Sixth Annual Proceedings of Financial Cryptography
, 2002
"... Abstract. Naor, Pinkas, and Sumner introduced and implemented a sealedbid, twoserver auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious transfer, their system aims to ensure privacy and correctness provided that at least o ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Naor, Pinkas, and Sumner introduced and implemented a sealedbid, twoserver auction system that is perhaps the most efficient and practical to date. Based on a cryptographic primitive known as oblivious transfer, their system aims to ensure privacy and correctness provided that at least one auction server behaves honestly. As observed in [19], however, the NPS system suffers from a security flaw in which one of the two servers can cheat so as to modify bids almost arbitrarily and without detection. We propose a means of repairing this flaw while preserving the attractive practical elements of the NPS protocol, including minimal round complexity for servers and minimal computation by players providing private inputs. Our proposal requires a slightly greater amount of computation and communication on the part of the two auction servers, but actually involves much less computation on the part of bidders. This latter feature makes our proposal particularly attractive for use with lowpower devices. While the original proposal of NPS involved several dozen exponentiations for a typical auction, ours by contrast involves only several dozen modular multiplications. The key idea in our proposal is a form of oblivious transfer that we refer to as verifiable proxy oblivious transfer (VPOT). Key words: auction, sealedbid auction, oblivious transfer, secure multiparty computation, secure function evaluation 1
Oblivious Transfer is Symmetric
 In EUROCRYPT 2006, Springer (LNCS 4004
, 2006
"... Abstract. We show that oblivious transfer of bits from A to B can be obtained from a single instance of the same primitive from B to A. Our reduction is perfect and shows that oblivious transfer is in fact a symmetric functionality. This solves an open problem posed by Crépeau and Sántha in 1991. 1 ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We show that oblivious transfer of bits from A to B can be obtained from a single instance of the same primitive from B to A. Our reduction is perfect and shows that oblivious transfer is in fact a symmetric functionality. This solves an open problem posed by Crépeau and Sántha in 1991. 1
Zeroerror information and applications in cryptography
 In Proceedings of 2004 IEEE Information Theory Workshop (ITW
, 2004
"... Abstract — In analogy to the zeroerror variant of the channel capacity, the zeroerror information between two random variables is defined. We show that our definition is natural in the sense that the representation of the channel capacity with respect to mutual information carries over to the zero ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
(Show Context)
Abstract — In analogy to the zeroerror variant of the channel capacity, the zeroerror information between two random variables is defined. We show that our definition is natural in the sense that the representation of the channel capacity with respect to mutual information carries over to the zeroerror variants of the quantities. It is shown that the new notion, together with two operators introduced in the same context, namely the common random variable of two random variables and the dependent part of a random variable with respect to another, is useful for giving characterizations of the possibility of realizing cryptographic tasks— such as bit commitment, coin tossing, or oblivious transfer— from correlated pieces of information. I.
New monotones and lower bounds in unconditional twoparty computation
 In Advances in Cryptology — CRYPTO ’05
, 2005
"... Abstract. Since bit and string oblivious transfer and commitment, two primitives of paramount importance in secure two and multiparty computation, cannot be realized in an unconditionally secure way for both parties from scratch, reductions to weak informationtheoretic primitives as well as betwe ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Since bit and string oblivious transfer and commitment, two primitives of paramount importance in secure two and multiparty computation, cannot be realized in an unconditionally secure way for both parties from scratch, reductions to weak informationtheoretic primitives as well as between different variants of the functionalities are of great interest. In this context, we introduce three independent monotones—quantities that cannot be increased by any protocol—and use them to derive lower bounds on the possibility and efficiency of such reductions. An example is the transition between different versions of oblivious transfer, for which we also propose a new protocol allowing to increase the number of messages the receiver can choose from at the price of a reduction of their length. Our scheme matches the new lower bound and is, therefore, optimal. 1 Introduction, Motivation
Compositional closure for Bayes Risk in probabilistic noninterference
 Proc. ICALP 2010, volume 6199 of LNCS
, 2010
"... Abstract. We give a sequential model for noninterference security including probability (but not demonic choice), thus supporting reasoning about the likelihood that highsecurity values might be revealed by observations of lowsecurity activity. Our novel methodological contribution is the defini ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We give a sequential model for noninterference security including probability (but not demonic choice), thus supporting reasoning about the likelihood that highsecurity values might be revealed by observations of lowsecurity activity. Our novel methodological contribution is the definition of a refinement order (v) and its use to compare security measures between specifications and (their supposed) implementations. This contrasts with the more common practice of evaluating the security of individual programs in isolation. The appropriateness of our model and order is supported by our showing that (v) is the greatest compositional relation –the compositional closure – with respect to our semantics and an “elementary ” order based on Bayes Risk — a security measure already in widespread use. We also relate refinement to other measures such as Shannon Entropy. By applying the approach to a nontrivial example, the anonymousmajority ThreeJudges protocol, we demonstrate by example that correctness arguments can be simplified by the sort of layered developments –through levels of increasing detail – that are allowed and encouraged by compositional semantics.
The shadow knows: Refinement and security in sequential programs
 Sci. Comput. Program
, 2009
"... Stepwise refinement is a crucial conceptual tool for system development, encouraging program construction via a number of separate correctnesspreserving stages which ideally can be understood in isolation. A crucial conceptual component of security is an adversary’s ignorance of concealed informat ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Stepwise refinement is a crucial conceptual tool for system development, encouraging program construction via a number of separate correctnesspreserving stages which ideally can be understood in isolation. A crucial conceptual component of security is an adversary’s ignorance of concealed information. We suggest a novel method of combining these two ideas. Our suggestion is based on a mathematical definition of “ignorancepreserving” refinement that extends classical refinement by limiting an adversary’s access to concealed information: moving from specification to implementation should never increase that access. The novelty is the way we achieve this in the context of sequential programs. Specifically we give an operational model (and detailed justification for it), a basic sequential programming language and its operational semantics in that model, a “logic of ignorance ” interpreted over the same model, then a programlogical semantics bringing those together — and finally we use the logic to establish, via refinement, the correctness of a real (though small) protocol: Rivest’s Oblivious Transfer. A previous report? treated Chaum’s Dining Cryptoraphers similarly. In passing we solve the Refinement Paradox for sequential programs.
On the Oblivious Transfer Capacity of the Erasure Channel
, 2006
"... One of the most important primitives in twoparty distrustful cryptography is oblivious transfer, a complete primitive for twoparty computation. Recently introduced, the oblivious transfer capacity of a noisy channel measures an efficiency of information theoretical reductions from 1outofk, ls ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
One of the most important primitives in twoparty distrustful cryptography is oblivious transfer, a complete primitive for twoparty computation. Recently introduced, the oblivious transfer capacity of a noisy channel measures an efficiency of information theoretical reductions from 1outofk, lstring oblivious transfer to noisy channels. It is defined as the maximal achievable ratio l/n, where l is the length of the strings which are to be transferred and n is the number of times the noisy channel is invoked. This quantity is unknown in a general case. For discrete memoryless channels, it is known to be nonnegligible for honestbutcurious players, but the nonzero rates have not ever been proved achievable in the case of malicious players. Here, we show that in the particular case of the erasure channel, more precise answers can be obtained. We compute the OT capacity of the erasure channel for the case of honestbutcurious players and, for the fully malicious players, we give its lower bound.
Constructions and Bounds for Unconditionally Secure NonInteractive Commitment Schemes
 Commitment Schemes, Designs, Codes, and Cryptography
, 2002
"... Commitment schemes have been extensively studied since they were introduced by Blum in 1982. Rivest recently showed how to construct unconditionally secure noninteractive commitment schemes, assuming the existence of a trusted initializer. In this paper, we present a formal mathematical model for u ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Commitment schemes have been extensively studied since they were introduced by Blum in 1982. Rivest recently showed how to construct unconditionally secure noninteractive commitment schemes, assuming the existence of a trusted initializer. In this paper, we present a formal mathematical model for unconditionally secure noninteractive commitment schemes with a trusted initializer and analyze their binding and concealing properties. In particular, we show that such schemes cannot be perfectly binding: there is necessarily a small probability that Alice can cheat Bob by committing to one value but later revealing a dierent value. We prove several bounds on Alice's cheating probability, and present constructions of schemes that achieve optimal cheating probabilities. We also analyze a class of commitment schemes based on resolvable designs. 1