Results 1  10
of
54
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 842 (43 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
BoundedConcurrent Secure MultiParty Computation with a Dishonest Majority
 In Proc. 36th STOC
, 2004
"... We show how to securely realize any multiparty functionality in a way that preserves security under an apriori bounded number of concurrent executions, regardless of the number of corrupted parties. Previous protocols for the above task either rely on setup assumptions such as a Common Reference ..."
Abstract

Cited by 69 (19 self)
 Add to MetaCart
(Show Context)
We show how to securely realize any multiparty functionality in a way that preserves security under an apriori bounded number of concurrent executions, regardless of the number of corrupted parties. Previous protocols for the above task either rely on setup assumptions such as a Common Reference String, or require an honest majority. Our constructions are in the plain model and rely on standard intractability assumptions (enhanced trapdoor permutations and collision resistant hash functions). Even though our main focus is on feasibility of concurrent multiparty computation we actually obtain a protocol using only a constant number of communication rounds. As a consequence our protocol yields the first construction of constantround standalone secure multiparty computation with a dishonest majority, proven secure under standard (polynomialtime) hardness assumptions; previous solutions to this task either require logarithmic roundcomplexity, or subexponential hardness assumptions. The core of our protocol is a novel construction of (concurrently) simulationsound zeroknowledge protocols, which might be of independent interest. Finally, we extend the framework constructed to give a protocol for secure multiparty (and thus twoparty) computation for any number of corrupted parties, which remains secure even when arbitrary subsets of parties concurrently execute the protocol, possibly with interchangeable roles. As far as we know, for the case of twoparty or multiparty protocols with a dishonest majority, this is the first positive result for any nontrivial functionality which achieves this property in the plain model.
Concurrent nonmalleable commitments
 In FOCS
, 2005
"... We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
(Show Context)
We present a nonmalleable commitment scheme that retains its security properties even when concurrently executed a polynomial number of times. That is, a maninthemiddle adversary who is simultaneously participating in multiple concurrent commitment phases of our scheme, both as a sender and as a receiver, cannot make the values he commits to depend on the values he receives commitments to. Our result is achieved without assuming an apriori bound on the number of executions and without relying on any setup assumptions. Our construction relies on the existence of standard clawfree permutations and only requires a constant number of communication rounds. 1
How to play almost any mental game over the net  concurrent composition via superpolynomial simulation
 In Proceedings of the 46th Annual Symposium on Foundations of Computer Science  FOCS’05
, 2005
"... We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC ’04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted parties, common reference string, honest majority or synchronicity of the network. The relaxation of security is obtained by allowing the idealmodel simulator to run in quaipolynomial (as opposed to polynomial) time. Quasipolynomial simulation suffices to ensure security for most applications of multiparty computation. Furthermore, Lindell (FOCS ’03, TCC ’ 04) recently showed that such a protocol is impossible to obtain under the more standard definition of polynomialtime simulation by an ideal adversary.
Constantround concurrent zero knowledge from falsifiable assumptions
, 2012
"... We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly s ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
We present a constantround concurrent zeroknowledge protocol for NP. Our protocol is sound against uniform polynomialtime attackers, and relies on the existence of families of collisionresistant hash functions, and a new (but in our eyes, natural) falsifiable intractability assumption: Roughly speaking, that Micali’s noninteractive CSproofs are sound for languages in P.
NonMalleability Amplification
 In 41st STOC
, 2009
"... We show a technique for amplifying commitment schemes that are nonmalleable with respect to identities of length t, into ones that are nonmalleable with respect to identities of length Ω(2 t), while only incurring a constant overhead in roundcomplexity. As a result we obtain a construction of O(1 ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
We show a technique for amplifying commitment schemes that are nonmalleable with respect to identities of length t, into ones that are nonmalleable with respect to identities of length Ω(2 t), while only incurring a constant overhead in roundcomplexity. As a result we obtain a construction of O(1) log ∗ nround (i.e., “essentially ” constantround) nonmalleable commitments from any oneway function, and using a blackbox proof of security.
Concurrent NonMalleable Commitments from Oneway Functions
, 2007
"... We show the existence of concurrent nonmalleable commitments based on the existence oneway functions. Our proof of security only requires the use of blackbox techniques, and additionally provides an arguably simplified proof of the existence of even standalone secure nonmalleable commitments. ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
(Show Context)
We show the existence of concurrent nonmalleable commitments based on the existence oneway functions. Our proof of security only requires the use of blackbox techniques, and additionally provides an arguably simplified proof of the existence of even standalone secure nonmalleable commitments.
Tight bounds for unconditional authentication protocols in the manual channel and shared key models
 IN ADVANCES IN CRYPTOLOGY  CRYPTO ’06
, 2006
"... We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiv ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ɛ < 1 there exists a log ∗ nround protocol for authenticating nbit messages, in which only 2 log(1/ɛ)+O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ɛ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ɛ) − O(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. We apply the proof technique above to obtain a lower bound of 2 log(1/ɛ) − 2 on the
Concurrent NonMalleable Zero Knowledge
 In Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science
, 2006
"... We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language inNP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol Π ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
We provide the first construction of a concurrent and nonmalleable zero knowledge argument for every language inNP. We stress that our construction is in the plain model with no common random string, trusted parties, or superpolynomial simulation. That is, we construct a zero knowledge protocol Π such that for every polynomialtime adversary that can adaptively and concurrently schedule polynomially many executions of Π, and corrupt some of the verifiers and some of the provers in these sessions, there is a polynomialtime simulator that can simulate a transcript of the entire execution, along with the witnesses for all statements proven by a corrupt prover to an honest verifier. Our security model is the traditional model for concurrent zero knowledge, where the statements to be proven by the honest provers are fixed in advance and do not depend on the previous history (but can be correlated with each other); corrupted provers, of course, can chose the statements adaptively. We also prove that there exists some functionality F (a combination of zero knowledge and oblivious transfer) such that it is impossible to obtain a concurrent nonmalleable protocol for F in this model. Previous impossibility results for composable protocols ruled out existence of protocols for a wider class of functionalities (including zero knowledge!) but only if these protocols were required to remain secure when executed concurrently with arbitrarily chosen different protocols (Lindell, FOCS 2003) or if these protocols were required to remain secure when the honest parties ’ inputs in each execution are chosen adaptively based on the results of previous executions
ConstantRound NonMalleable Commitments from Any OneWay Function
, 2011
"... We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the strong ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We show unconditionally that the existence of commitment schemes implies the existence of constantround nonmalleable commitments; earlier protocols required additional assumptions such as collision resistant hash functions or subexponential oneway functions. Our protocol also satisfies the stronger notions of concurrent nonmalleability and robustness. As a corollary, we establish that constantround nonmalleable zeroknowledge arguments for NP can be based on oneway functions and constantround secure multiparty computation can be based on enhanced trapdoor permutations; also here, earlier protocols additionally required either collisionresistant hash functions or subexponential oneway functions.