Results 1  10
of
22
Finding collisions in interactive protocols – A tight lower bound on the round complexity of statisticallyhiding commitments
 In Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
, 2007
"... We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches th ..."
Abstract

Cited by 42 (13 self)
 Add to MetaCart
(Show Context)
We study the round complexity of various cryptographic protocols. Our main result is a tight lower bound on the round complexity of any fullyblackbox construction of a statisticallyhiding commitment scheme from oneway permutations, and even from trapdoor permutations. This lower bound matches the round complexity of the statisticallyhiding commitment scheme due to Naor, Ostrovsky, Venkatesan and Yung (CRYPTO ’92). As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as singleserver private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collisionfinding oracle due to Simon (EUROCRYPT ’98) to the setting of interactive protocols (our extension also implies an alternative proof for the main property of the original oracle). In addition, we substantially extend the reconstruction paradigm of Gennaro and Trevisan (FOCS ‘00). In both cases, our extensions are quite delicate and may be found useful in proving additional blackbox separation results.
Cryptography and game theory: Designing protocols for exchanging information
 In Theory of Cryptography Conference
, 2008
"... The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction a ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
(Show Context)
The goal of this paper is nding fair protocols for the secret sharing and secure multiparty computation (SMPC) problems, when players are assumed to be rational. It was observed by Halpern and Teague (STOC 2004) that protocols with bounded number of iterations are susceptible to backward induction and cannot be considered rational. Previously suggested cryptographic solutions all share the property of having an essential exponential upper bound on their running time, and hence they are also susceptible to backward induction. Although it seems that this bound is an inherent property of every cryptography based solution, we show that this is not the case. We suggest coalitionresilient secret sharing and SMPC protocols with the property that after any sequence of iterations it is still a computational best response to follow them. Therefore, the protocols can be run any number of iterations, and are immune to backward induction. The mean of communication assumed is a broadcast channel, and we consider both the simultaneous and nonsimultaneous cases.
I.: On Oblivious Transfer Capacity
 Proc. ISIT 2007
, 2007
"... Abstract. Upper and lower bounds to the oblivious transfer (OT) capacity of discrete memoryless channels and multiple sources are obtained, for 1 of 2 strings OT with honest but curious participants. The upper bounds hold also for onestring OT. The results provide the exact value of OT capacity for ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. Upper and lower bounds to the oblivious transfer (OT) capacity of discrete memoryless channels and multiple sources are obtained, for 1 of 2 strings OT with honest but curious participants. The upper bounds hold also for onestring OT. The results provide the exact value of OT capacity for a specified class of models, and the necessary and sufficient condition of its positivity, in general. This paper is based on the ISIT07 contribution [2]. The authors did intend to write up a full version and devoted substantial amount of work to that project, but abandoned it as other obligations delayed completion and the elapsed time caused loss of novelty. Still, the second author considers it proper to publish this paper in this volume, paying tribute to the memory of Rudolph Ahlswede. The results in [2] are completed by some previously unpublished ones which originated from the authors ’ discussions during their work towards a full version of [2]. 1
Extracting Correlations
"... Abstract — Motivated by applications in cryptography, we consider a generalization of randomness extraction and the related notion of privacy amplification to the case of two correlated sources. We introduce the notion of correlation extractors, which extract nearly perfect independent instances of ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract — Motivated by applications in cryptography, we consider a generalization of randomness extraction and the related notion of privacy amplification to the case of two correlated sources. We introduce the notion of correlation extractors, which extract nearly perfect independent instances of a given joint distribution from imperfect, or “leaky, ” instances of the same distribution. More concretely, suppose that Alice holds a and Bob holds b, where (a, b) are obtained by taking n independent samples from a joint distribution (X, Y) and letting a include all X instances and b include all Y instances. An adversary Eve obtains partial information about (a, b) by choosing a function L with output length t and learning L(a, b). The goal is to design a protocol between Alice and Bob which may use additional fresh randomness, such that for every L as above the following holds. In the end of the interaction, Alice
On the Feasibility of Extending Oblivious Transfer
, 2012
"... Oblivious transfer is one of the most basic and important building blocks in cryptography. As such, understanding its cost is of prime importance. Beaver (STOC 1996) showed that it is possible to obtain poly(n) oblivious transfers given only n actual oblivious transfer calls and using oneway functi ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Oblivious transfer is one of the most basic and important building blocks in cryptography. As such, understanding its cost is of prime importance. Beaver (STOC 1996) showed that it is possible to obtain poly(n) oblivious transfers given only n actual oblivious transfer calls and using oneway functions, where n is the security parameter. In addition, he showed that it is impossible to extend oblivious transfer information theoretically. The notion of extending oblivious transfer is important theoretically (to understand the complexity of computing this primitive) and practically (since oblivious transfers can be expensive and thus extending them using only oneway functions is very attractive). Despite its importance, very little is known about the feasibility of extending oblivious transfer, beyond the fact that it is impossible information theoretically. Specifically, it is not known whether or not oneway functions are actually necessary for extending oblivious transfer, whether or not it is possible to extend oblivious transfers with adaptive security, and whether or not it is possible to extend oblivious transfers when starting with just a few. In this paper, we address these questions and provide almost complete answers to all of them. We show that the existence of any oblivious transfer extension protocol with security for static semihonest adversaries implies oneway functions, that an oblivious transfer extension protocol with adaptive security implies oblivious transfer with static security, and that the existence of an oblivious transfer extension protocol from only O(log n) oblivious transfers implies oblivious transfer itself.
On the efficiency of classical and quantum oblivious transfer reductions
 In Advances in Cryptology — CRYPTO ’10, Lecture Notes in Computer Science
, 2010
"... Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such a ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multiparty computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (errorfree) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC ’96) or by Dodis and Micali (EUROCRYPT ’99). However, in practice one is usually willing to tolerate a small probability of error and it is known that these statistical reductions can in general be much more efficient. Thus, the known bounds have only limited application. In the first part of this work we provide bounds on the efficiency of secure (onesided) twoparty computation of arbitrary finite functions from distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use (different variants of) OT as a blackbox. When applied to implementations of OT, our bounds generalize known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. Furthermore, we provide bounds on the efficiency of protocols implementing Rabin OT.
Adaptively Secure TwoParty Computation with Erasures
, 2009
"... In the setting of multiparty computation a set of parties with private inputs wish to compute some joint function of their inputs, whilst preserving certain security properties (like privacy and correctness). An adaptively secure protocol is one in which the security properties are preserved even if ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
In the setting of multiparty computation a set of parties with private inputs wish to compute some joint function of their inputs, whilst preserving certain security properties (like privacy and correctness). An adaptively secure protocol is one in which the security properties are preserved even if an adversary can adaptively and dynamically corrupt parties during a computation. This provides a high level of security, that is arguably necessary in today’s world of active computer breakins. Until now, the work on adaptively secure multiparty computation has focused almost exclusively on the setting of an honest majority, and very few works have considered the honest minority and twoparty cases. In addition, significant computational and communication costs are incurred by most protocols that achieve adaptive security. In this work, we consider the twoparty setting and assume that honest parties may erase data. We show that in this model it is possible to securely compute any twoparty functionality in the presence of adaptive semihonest adversaries. Furthermore, our protocol remains secure under concurrent general composition (meaning that it remains secure irrespective of the other protocols running together with it). Our protocol is based on Yao’s garbledcircuit construction and, importantly, is as efficient as the analogous protocol for static corruptions. We argue that the model of adaptive corruptions with erasures has been unjustifiably neglected and that it deserves much more attention.
Efficient Oblivious Transfer Protocols Achieving a NonZero Rate from Any NonTrivial Noisy Correlation
"... Oblivious transfer (OT) is a twoparty primitive which is one of the cornerstones of modern cryptography. We focus on providing informationtheoretic security for both parties, hence building OT assuming noisy resources (channels or correlations) available to them. This primitive is about transmitti ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Oblivious transfer (OT) is a twoparty primitive which is one of the cornerstones of modern cryptography. We focus on providing informationtheoretic security for both parties, hence building OT assuming noisy resources (channels or correlations) available to them. This primitive is about transmitting two strings such that the receiver can obtain one (and only one) of them, while the sender remains ignorant of this choice. Recently, Winter and Nascimento proved that oblivious transfer capacity is positive for any nontrivial discrete memoryless channel or correlation in the case of passive cheaters. Their construction was inefficient. The OT capacity characterizes the maximal efficiency of constructing OT using a particular noisy primitive. Building on their result, we extend it in two ways: 1) we construct efficient passivelysecure protocols achieving the same rates; 2) we show that an important class of noisy correlations actually allows to build OT with nonzero rate secure against active cheating (before, positive rates were only achieved for the erasure channel). Keywords: Informationtheoretical security, oblivious transfer, noisy resources 1
Errortolerant combiners for oblivious primitives
"... Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A robust combiner is a construction that combines several implementations of a primitive based on different assumptions, and yields an implementation guaranteed to be secure if at least some assumptions (i.e. sufficiently many but not necessarily all) are valid. In this paper we generalize this concept by introducing errortolerant combiners, which in addition to protection against insecure implementations provide tolerance to functionality failures: an errortolerant combiner guarantees a secure and correct implementation of the output primitive even if some of the candidates are insecure or faulty. We present simple constructions of errortolerant robust combiners for oblivious linear function evaluation. The proposed combiners are also interesting in the regular (not errortolerant) case, as the construction is much more efficient than the combiners known for oblivious transfer. 1
BlackBox Constructions of Protocols for Secure Computation
, 2010
"... In this paper, we study the question of whether or not it is possible to construct protocols for general secure computation in the setting of malicious adversaries and no honest majority that use the underlying primitive (e.g., enhanced trapdoor permutation) in a blackbox way only. Until now, all k ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
In this paper, we study the question of whether or not it is possible to construct protocols for general secure computation in the setting of malicious adversaries and no honest majority that use the underlying primitive (e.g., enhanced trapdoor permutation) in a blackbox way only. Until now, all known general constructions for this setting were inherently nonblackbox since they required the parties to prove zeroknowledge statements that are related to the computation of the underlying primitive. Our main technical result is a fully blackbox reduction from oblivious transfer with security against malicious parties to oblivious transfer with security against semihonest parties. As a corollary, we obtain the first constructions of general multiparty protocols (with security against malicious adversaries and without an honest majority) which only make a blackbox use of semihonest oblivious transfer, or alternatively a blackbox use of lowerlevel primitives such as enhanced trapdoor permutations or homomorphic encryption. In order to construct this reduction we introduce a new notion of security called privacy in the presence of defensible adversaries. This notion states that if an adversary can produce (retroactively, after the protocol terminates) an input and random tape that make