#### DMCA

## Universally Composable Security with Global Setup (2007)

### Cached

### Download Links

- [www.cs.cornell.edu]
- [www.cs.nyu.edu]
- [cs.nyu.edu]
- [cs.nyu.edu]
- [eprint.iacr.org]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of the 4th Theory of Cryptography Conference |

Citations: | 50 - 5 self |

### Citations

1233 | The Knowledge Complexity of Interactive Proof-Systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...ur generalization. Systems of ITMs. To capture the mechanics of computation and communication in computer networks, the UC framework employs an extension of the Interactive Turing Machine (ITM) model =-=[27]-=- (see [13] for precise details on the additional extensions). A computer program (such as for a protocol, or perhaps program of the adversary) is modeled in the form of an ITM (which is an abstract no... |

818 | Universally Composable Security: A New Paradigm for Cryptographic Protocols
- Canetti
- 2002
(Show Context)
Citation Context ...ncludes calls to protocol π should, in principle, behave the same if the calls to π were replaced by ideal calls to the trusted party F. Several formalizations of the above intuitive idea exist, e.g. =-=[26, 33, 3, 11, 22, 38, 12, 37]-=-. These formalizations vary in their rigor, expressibility, generality and restrictiveness, as well as security and composability guarantees. However, one point which no existing formalism seems to ha... |

457 | Security and Composition of Multiparty Cryptographic Protocols
- Canetti
(Show Context)
Citation Context ...ncludes calls to protocol π should, in principle, behave the same if the calls to π were replaced by ideal calls to the trusted party F. Several formalizations of the above intuitive idea exist, e.g. =-=[26, 33, 3, 11, 22, 38, 12, 37]-=-. These formalizations vary in their rigor, expressibility, generality and restrictiveness, as well as security and composability guarantees. However, one point which no existing formalism seems to ha... |

419 | Proofs that Yield Nothing But Their Validity or All Languages
- Goldreich, Micali, et al.
- 1991
(Show Context)
Citation Context ...to construct a signature scheme with an augmented Σ-protocol for the knowledge of the signature. First, we observe that every NP-relation is known to have such a Σ-protocol if one-way functions exist =-=[25, 29, 4]-=-. Specifically, the protocol of [4] (where the prover commits to a permutation of a graph with a Hamiltonian cycle, and is challenged to reveal either a cycle or the permutation) is easily shown to su... |

266 |
M.: Identity based encryption from the Weil pairing
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...nt of Gkrk) is that in ¯ Gacrs there is a single public value, whereas in ¯ Gkrk an extra public value must be given per party identity. Using a paradigm analogous to the identity-based encryption of =-=[7]-=-, we avoid the use of per-party public keys and replace them with a single short “master public key” (and indeed our constructions use short public keys that depend only on the security parameter). Th... |

205 | A signature scheme with efficient protocols - Camenish, Lysyanskaya - 2003 |

183 | Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions - Feige, Lapidot, et al. - 1999 |

170 | Universally Composable Commitments
- Canetti, Fischlin
(Show Context)
Citation Context ...model may not be “adaptively sound” (see [24]), so perhaps a malicious prover can succeed in proving false statements after seeing the CRS, as demonstrated in [1]. As another example, the protocol in =-=[17]-=- for realizing the single-instance commitment functionality becomes malleable as soon as two instances use the same reference string (indeed, to avoid this weakness a more involved protocol was develo... |

162 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...jecture that GUC authentication protocols (namely, protocols that GUC-realize ideally authentic communication channels) that use a global 6PKI setup can be constructed by combining the techniques of =-=[31, 17]-=-. However, we leave full exploration of this problem out of scope for this work. The notions of key exchange and secure sessions in the presence of global PKI setup need to be re-visited in a similar ... |

151 | Universally Composable TwoParty and Multi-Party Secure Computation
- Canetti, Lindell, et al.
- 2002
(Show Context)
Citation Context ... for realizing Fcom in the KRK model can be shown to satisfy the new notion, even with the global KRK setup, as long as the adversary is limited to non-adaptive party corruptions. (As demonstrated in =-=[19]-=-, realizing Fcom suffices for realizing any “well-formed” multi-party functionality.) However, when adaptive party corruptions are allowed, and the adversary can observe the past internal data of corr... |

147 | Composition and integrity preservation of secure reactive systems
- Pfitzmann, Waidner
(Show Context)
Citation Context ...ncludes calls to protocol π should, in principle, behave the same if the calls to π were replaced by ideal calls to the trusted party F. Several formalizations of the above intuitive idea exist, e.g. =-=[26, 33, 3, 11, 22, 38, 12, 37]-=-. These formalizations vary in their rigor, expressibility, generality and restrictiveness, as well as security and composability guarantees. However, one point which no existing formalism seems to ha... |

142 | How to Prove a Theorem So No One Else Can Claim It
- Blum
- 1986
(Show Context)
Citation Context ...to construct a signature scheme with an augmented Σ-protocol for the knowledge of the signature. First, we observe that every NP-relation is known to have such a Σ-protocol if one-way functions exist =-=[25, 29, 4]-=-. Specifically, the protocol of [4] (where the prover commits to a permutation of a graph with a Hamiltonian cycle, and is challenged to reveal either a cycle or the permutation) is easily shown to su... |

141 |
Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority
- Beaver
- 1991
(Show Context)
Citation Context |

111 |
Zero-Knowledge Proofs of Knowledge in Two Rounds
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...to construct a signature scheme with an augmented Σ-protocol for the knowledge of the signature. First, we observe that every NP-relation is known to have such a Σ-protocol if one-way functions exist =-=[25, 29, 4]-=-. Specifically, the protocol of [4] (where the prover commits to a permutation of a graph with a Hamiltonian cycle, and is challenged to reveal either a cycle or the permutation) is easily shown to su... |

103 | On the Limitations of Universally Composable Two-Party Computation Without Set-Up Assumptions
- Canetti, Kushilevitz, et al.
- 2003
(Show Context)
Citation Context ...nrealistic in the case of global setup, when protocols share state information with each other (and indeed, it was shown to be impossible to realize UC-secure protocols without resort to such tactics =-=[17, 12, 18]-=-). To overcome this limitation, we propose the 9Generalized UC (GUC) framework. The GUC challenge experiment is similar to the basic UC experiment, only with an unconstrained environment. In particul... |

97 |
Pass: Universally Composable Protocols with Relaxed Set-Up Assumptions
- Barak, Canetti, et al.
(Show Context)
Citation Context ...nimal way, and show how to GUC-realize practically any ideal functionality in any one of the two models. The first setup model is reminiscent of the “key registration with knowledge (KRK)” setup from =-=[6]-=-, where each party registers a public key with some trusted authority in a way that guarantees that the party can access the corresponding secret key. However, in contrast to [6] where the scope of a ... |

87 | GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attack
- Bellare, Palacio
- 2002
(Show Context)
Citation Context ...proceeding with the details of the proof, we first state and prove a general lemma regarding coin-tossing protocols that is used in our proof of security. Our lemma is analogous to the Reset Lemma of =-=[9]-=-, but unlike the Reset Lemma it aims to guarantee not only that certain events will occur after rewindings, but that the output distribution of the entire experiment remains computationally indistingu... |

85 |
Fair Computation of General Functions
- Goldwasser, Levin
- 1990
(Show Context)
Citation Context |

75 | Universal Composition with Joint State - Canetti, Rabin - 2002 |

68 | Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority - Pass - 2004 |

61 | Universally composable signatures, certification and authentication - Canetti - 2004 |

59 | On Deniability in the Common Reference String and Random Oracle Model
- Pass
- 2003
(Show Context)
Citation Context ... infrastructure (PKI) or a common reference string (CRS), where all parties are assumed to have access to some global information that is trusted to have certain properties. Indeed, as pointed out in =-=[35]-=-, the intuitive guarantee that “running π has the same effect as having access to the trusted party” no longer holds. As a first indication of this fact, consider the “deniability” concern, namely, al... |

55 | Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor
- Damg˚ard, Nielsen
- 2002
(Show Context)
Citation Context ...ough for the original analysis to go through. Instead, we provide a “weaker” CRS, and provide a significantly more elaborate analysis. The protocol is similar in spirit to the cointossing protocol of =-=[21]-=-, in that it allows the generated random string to have different properties depending on which parties are corrupted. Even so, their protocol is not adaptively secure in our model. Augmented CRS. Nex... |

53 |
Secure computation. Unpublished manuscript
- Micali, Rogaway
- 1992
(Show Context)
Citation Context |

51 | General Composition and Universal Composability in Secure Multi-Party Computation
- Lindell
- 2003
(Show Context)
Citation Context ... “rewinding” technique in order to accomplish this. While it is critical that UC secure protocols be straight-line simulatable (i.e. they may not use rewinding techniques for simulation purposes, see =-=[32]-=- for details), we stress that here we are using the rewinding only in the proof of indistinguishability for the simulator. The simulator itself does not perform any rewinding. Therefore, our reduction... |

50 | Strict Polynomial-time in Simulation and Extraction
- Barak, Lindell
- 2002
(Show Context)
Citation Context ... commitment scheme (such as an IBTC) into a protocol for securely realizing Fcom (for single bit commitments). Previously similar types of transformations have appeared in the literature (e.g., [19], =-=[8]-=-). Unfortunately all such transformations either require some additional non-global setup (and are thus not applicable in out setting), or only work in the case of static security. We now turn our foc... |

38 | K.: On Simulation-Sound Trapdoor Commitments
- MacKenzie, Yang
(Show Context)
Citation Context ...ach is based on the technique from [23] for constructing commitment schemes from “Σ-protocols”. In particular, the basic tool we use to construct IBTCs is a modified form of standard Σ-protocols (see =-=[34, 21]-=-) that we call augmented Σ-protocols. Intuitively, Σ-protocols are three move protocols for proving some relation in zero knowledge. The augmented definition adds a “reverse state construction” proper... |

37 |
Alternative models for zero knowledge interactive proofs
- Feige
- 1990
(Show Context)
Citation Context ...ide a construction in the standard model based on one way functions. The construction is secure against adaptive corruptions, and is based on the Feige construction of commitment from Sigma protocols =-=[23]-=-, where the committer runs the simulator of the Sigma protocol. Realizing the setup assumptions. “Real world implementations” of the ACRS and KRK setups can involve a trusted entity (say, a “post offi... |

34 | Perfect NIZK with adaptive soundness
- Abe, Fehr
- 2007
(Show Context)
Citation Context ...-secure Zero-Knowledge proofs in the CRS model may not be “adaptively sound” (see [24]), so perhaps a malicious prover can succeed in proving false statements after seeing the CRS, as demonstrated in =-=[1]-=-. As another example, the protocol in [17] for realizing the single-instance commitment functionality becomes malleable as soon as two instances use the same reference string (indeed, to avoid this we... |

31 | Parallel Reducibility for InformationTheoretically Secure Computation. CRYPTO’00
- Dodis, Micali
- 2000
(Show Context)
Citation Context |

29 | Secure computation without authentication
- Barak, Canetti, et al.
- 2005
(Show Context)
Citation Context ...thout ever having registered with any authority. This is extremely useful for settings where PKIs are not desirable or easy to implement, and where no single “global” authority is available (see e.g. =-=[5]-=-). 7 In the next section, we will prove the following result: 7 In fact, the protocol we will describe in Section 5 can also support a “graceful failure” approach similar to that outlined in [6], in t... |

28 | and A.Sahai. New notions of security: achieving universal composability without trusted setup
- Prabhakaran
(Show Context)
Citation Context |

24 | How To Play Almost Any Mental Game Over The Net - Concurrent Composition via SuperPolynomial Simulation
- Barak, Sahai
(Show Context)
Citation Context ...nvolved in the proof of the universal composition theorem. We also demonstrate that GUC security is preserved under universal composition. Related work. Relaxed variants of UC security are studied in =-=[37, 10]-=-. These variants allow reproducing the general feasibility results without setup assumptions other than authenticated communication. However, these results provide significantly weaker security proper... |

23 | Identity-based chameleon hash and applications
- Ateniese, Medeiros
- 2004
(Show Context)
Citation Context ...s identical to that of the CRS setup. The main tool in our protocol for realizing Fcom in the ACRS model is a new identity-based trapdoor commitment (IBTC) protocol. IBTC protocols are constructed in =-=[2, 39]-=-, in the Random Oracle model. Here we provide a construction in the standard model based on one way functions. The construction is secure against adaptive corruptions, and is based on the Feige constr... |

15 | ID-Based Chameleon Hashes from Bilinear Pairings, Cryptology ePrint Archive: Report 2003/208. 210 X. Chen et al
- Zhang, Safavi-Naini, et al.
- 2014
(Show Context)
Citation Context ...s identical to that of the CRS setup. The main tool in our protocol for realizing Fcom in the ACRS model is a new identity-based trapdoor commitment (IBTC) protocol. IBTC protocols are constructed in =-=[2, 39]-=-, in the Random Oracle model. Here we provide a construction in the standard model based on one way functions. The construction is secure against adaptive corruptions, and is based on the Feige constr... |

13 |
SCHOENMAKERS B.: ‘Proofs of partial knowledge and simplified design of witness hiding protocols
- CRAMER, DAMGÅRD
(Show Context)
Citation Context ...el [2, 39]. Here we provide a conceptually simple approach to constructing an adaptively secure IBTC from any oneway function, in the standard model. Our approach relies on the use of Sigma protocols =-=[15]-=-, in an approach based on that of [23] (and perhaps surprisingly can result in a very practical protocol). On a very high-level (and very oversimplified) the general idea is as follows: 1) let the mas... |

13 | Universally composable zero-knowledge arguments and commitments from signature cards
- Hofheinz, Muller-Quade, et al.
- 2005
(Show Context)
Citation Context ...g security in the presence of global setup. In particular, it adopts the original UC modeling of setup as a construct that is internal to each protocol instance. In a concurrent work, Hofheinz et. al =-=[30]-=- consider a notion of security that is reminiscent of EUC, with similar motivation to the motivation here. They also formulate a new setup assumption and show how to realize any functionality given th... |

4 |
How to Solve any Protocol Problem
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ... . . . . . . . . 44 6 Acknowledgments 52 11 Introduction The trusted party paradigm is a fundamental methodology for defining security of cryptographic protocols. The basic idea (which originates in =-=[28]-=-) is to say that a protocol securely realizes a given computational task if running the protocol amounts to “emulating” an ideal process where all parties secretly hand their inputs to an imaginary “t... |