Universally Composable TwoParty and MultiParty Secure Computation
, 2002
"... We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many pa ..."
We show how to securely realize any twoparty and multiparty functionality in a universally composable way, regardless of the number of corrupted participants. That is, we consider an asynchronous multiparty network with open communication and an adversary that can adaptively corrupt as many parties as it wishes. In this setting, our protocols allow any subset of the parties (with pairs of parties being a special case) to securely realize any desired functionality of their local inputs, and be guaranteed that security is preserved regardless of the activity in the rest of the network. This implies that security is preserved under concurrent composition of an unbounded number of protocol executions, it implies nonmalleability with respect to arbitrary protocols, and more. Our constructions are in the common reference string model and rely on standard intractability assumptions.
A.: On notions of security for deterministic encryption, and efficient constructions without random oracles. Full version of this paper
, 2008
"... Abstract. The study of deterministic publickey encryption was initiated by Bellare et al. (CRYPTO '07), who provided the "strongest possible " notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encr ..."
Abstract. The study of deterministic publickey encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible ” notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is apriori hardtoguess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for many practical applications. We show equivalence of this definition to singlemessage and indistinguishabilitybased ones, which are easier to work with. Then we give general constructions of both chosenplaintext (CPA) and chosenciphertextattack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard numbertheoretic assumptions. Our constructions build on the recentlyintroduced framework of Peikert and Waters (STOC ’08) for constructing CCAsecure probabilistic encryption schemes, extending it to the deterministicencryption setting as well.
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
On SimulationSound Trapdoor Commitments
 In proceedings of EUROCRYPT ’04, LNCS series
, 2003
"... We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct ..."
We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any oneway functions, and how to construct very efficient SSTC schemes based on specific numbertheoretic assumptions. We also show how to construct simulationsound, nonmalleable, and universallycomposable zeroknowledge protocols using SSTC schemes, yielding, for instance, the most efficient universallycomposable zeroknowledge protocols known. Finally, we explore the relation between SSTC schemes and nonmalleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are nonmalleable.
Strengthening ZeroKnowledge Protocols using Signatures
 IN PROCEEDINGS OF EUROCRYPT ’03, LNCS SERIES
, 2003
"... Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper, ..."
Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper,
More constructions of lossy and correlationsecure trapdoor functions. Cryptology ePrint Archive, Report 2009/590
, 2009
"... We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC '08), and correlationsecure trapdoor functions (Rosen and Segev, TCC '09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as ..."
We propose new and improved instantiations of lossy trapdoor functions (Peikert and Waters, STOC ’08), and correlationsecure trapdoor functions (Rosen and Segev, TCC ’09). Our constructions widen the set of numbertheoretic assumptions upon which these primitives can be based, and are summarized as follows: • Lossy trapdoor functions based on the quadratic residuosity assumption. Our construction relies on modular squaring, and whereas previous such constructions were based on seemingly stronger assumptions, we present the first construction that is based solely on the quadratic residuosity assumption. We also present a generalization to higher order power residues. • Lossy trapdoor functions based on the composite residuosity assumption. Our construction guarantees essentially any required amount of lossiness, where at the same time the functions are more efficient than the matrixbased approach of Peikert and Waters. • Lossy trapdoor functions based on the dLinear assumption. Our construction both simplifies the DDHbased construction of Peikert and Waters, and admits a generalization to the whole family of dLinear assumptions without any loss of efficiency. • Correlationsecure trapdoor functions related to the hardness of syndrome decoding. Keywords: Publickey encryption, lossy trapdoor functions, correlationsecure trapdoor functions. An extended abstract of this work appears in Public Key Cryptography — PKC 2010, Springer LNCS 6056
Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encryption
 IN ADVANCES IN CRYPTOLOGY  CRYPTO ’03
, 2003
"... We present a new general multiparty computation protocol for the cryptographic scenario which is universally composable — in particular, it is secure against an active and adaptive adversary, corrupting any minority of the parties. The protocol is as efficient as the best known statically secure so ..."
We present a new general multiparty computation protocol for the cryptographic scenario which is universally composable — in particular, it is secure against an active and adaptive adversary, corrupting any minority of the parties. The protocol is as efficient as the best known statically secure solutions, in particular the number of bits broadcast (which dominates the complexity) is Ω(nkC), where n is the number of parties, k is a security parameter, and C is the size of a circuit doing the desired computation. Unlike previous adaptively secure protocols for the cryptographic model, our protocol does not use noncommitting encryption, instead it is based on homomorphic threshold encryption, in particular the Paillier cryptosystem.
Efficient Set Operations in the Presence of Malicious Adversaries
 In IACR PKC
, 2010
"... We revisit the problem of constructing efficient secure twoparty protocols for the problems of setintersection and setunion, focusing on the model of malicious parties. Our main results are constantround protocols that exhibit linear communication and a (practically) linear number of exponentiatio ..."
We revisit the problem of constructing efficient secure twoparty protocols for the problems of setintersection and setunion, focusing on the model of malicious parties. Our main results are constantround protocols that exhibit linear communication and a (practically) linear number of exponentiations with simulation based security. In the heart of these constructions is a technique based on a combination of a perfectly hiding commitment and an oblivious pseudorandom function evaluation protocol. Our protocols readily transform into protocols that are UCsecure, and we discuss how to perform these transformations. Keywords: Secure twoparty computation, Simulationbased security, Setintersection, Setunion, Oblivious pseudorandom function evaluation.
Efficient and Universally Composable Committed Oblivious Transfer and Applications
 Proceedings of the First Theory of Cryptography Conference (2004
, 2004
Zeroknowledge proofs and string commitments withstanding quantum attacks
, 2004
"... The concept of zeroknowledge (ZK) has become of fundamental importance in cryptography. However, in a setting where entities are modeled by quantum computers, classical arguments for proving ZK fail to hold since, in the quantum setting, the concept of rewinding is not generally applicable. More ..."
The concept of zeroknowledge (ZK) has become of fundamental importance in cryptography. However, in a setting where entities are modeled by quantum computers, classical arguments for proving ZK fail to hold since, in the quantum setting, the concept of rewinding is not generally applicable. Moreover, known classical techniques that avoid rewinding have various shortcomings in the quantum setting. We propose new