Results 1  10
of
151
On the Limitations of Universally Composable TwoParty Computation without Setup Assumptions
 Journal of Cryptology
, 2003
"... Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrar ..."
Abstract

Cited by 103 (18 self)
 Add to MetaCart
(Show Context)
Abstract. The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multiparty, multiprotocol, multiexecution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without setup assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of twoparty protocols. We study the feasibility of universally composable twoparty function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties’ inputs, and furthermore are “efficiently invertible ” in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output. 1
Universal Composition with Joint State
, 2002
"... We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are ..."
Abstract

Cited by 76 (9 self)
 Add to MetaCart
(Show Context)
We propose a new composition operation for cryptographic protocols, called universal composition with joint state, and demonstrate sufficient conditions for when the new operation preserves security. In contrast with existing composition operations, where the instances of the composed protocols are assumed to have completely disjoint local states, the new operation allows the composed protocols to have some amount of joint state (and, in particular, joint randomness) while still guaranteeing strong composability properties.
Billiongate secure computation with malicious adversaries
 In USENIX Security
, 2012
"... The goal of this paper is to assess the feasibility of twoparty secure computation in the presence of a malicious adversary. Prior work has shown the feasibility of billiongate circuits in the semihonest model, but only the 35kgate AES circuit in the malicious model, in part because security in ..."
Abstract

Cited by 64 (1 self)
 Add to MetaCart
(Show Context)
The goal of this paper is to assess the feasibility of twoparty secure computation in the presence of a malicious adversary. Prior work has shown the feasibility of billiongate circuits in the semihonest model, but only the 35kgate AES circuit in the malicious model, in part because security in the malicious model is much harder to achieve. We show that by incorporating the best known techniques and parallelizing almost all steps of the resulting protocol, evaluating billiongate circuits is feasible in the malicious model. Our results are in the standard model (i.e., no common reference strings or PKIs) and, in contrast to prior work, we do not use the random oracle model which has wellestablished theoretical shortcomings. 1
Universally composable multiparty computation using tamperproof hardware
 In EUROCRYPT, Lecture Notes in Computer Science
, 2007
"... Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted r ..."
Abstract

Cited by 63 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols proven secure within the universal composability (UC) framework satisfy strong and desirable security properties. Unfortunately, it is known that within the “plain ” model, secure computation of general functionalities without an honest majority is impossible. This has prompted researchers to propose various “setup assumptions ” with which to augment the bare UC framework in order to bypass this severe negative result. Existing setup assumptions seem to inherently require some trusted party (or parties) to initialize the setup in the real world. We propose a new setup assumption — more along the lines of a physical assumption regarding the existence of tamperproof hardware — which also suffices to circumvent the impossibility result mentioned above. We suggest this assumption as potentially leading to an approach that might alleviate the need for trusted parties, and compare our assumption to those proposed previously. 1
Symmetric Encryption in Automatic Analyses for Confidentiality against Active Adversaries
, 2004
"... In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns fo ..."
Abstract

Cited by 57 (3 self)
 Add to MetaCart
In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns for cryptographic protocols (they did it for formal expressions), such that the protocol is secure iff the patterns are. We then statically analyse the patterns, they should be easier to analyse than the protocols themselves. We consider symmetric encryption as the cryptographic primitive in protocols. Handling this primitive has so far received comparatively less attention in approaches striving to unite the formal and computational models of cryptography.
General Composition and Universal Composability in Secure Multiparty Computation
, 2007
"... Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Ca ..."
Abstract

Cited by 52 (9 self)
 Add to MetaCart
(Show Context)
Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Canetti (FOCS 2001) introduced the notion of universal composability, and showed that security under this definition is sufficient for achieving concurrent generalcomposition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (Innewer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all itsvariants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of twoparty functionalities for whichit is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not &quot;blackbox&quot;, andapply even to nonblackbox simulation. Our main result also demonstrates that the definition of universal composability is somewhat&quot;minimal&quot;, in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is notoverly restrictive.
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
RoundOptimal Secure TwoParty Computation
 In CRYPTO 2004
, 2004
"... We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despit ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
We consider the central cryptographic task of secure twoparty computation: two parties wish to compute some function of their private inputs (each receiving possibly di#erent outputs) where security should hold with respect to arbitrarilymalicious behavior of either of the participants. Despite extensive research in this area, the exact roundcomplexity of this fundamental problem (i.e., the number of rounds required to compute an arbitrary polytime functionality) was not previously known.
Protocols for BoundedConcurrent Secure TwoParty Computation in the Plain Model
, 2006
"... Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrent ..."
Abstract

Cited by 47 (7 self)
 Add to MetaCart
(Show Context)
Until recently, most research on the topic of secure computation focused on the standalonemodel, where a single protocol execution takes place. In this paper, we construct protocols for the setting of boundedconcurrent selfcomposition, where a (single) secure protocol is run manytimes concurrently, and there is a predetermined bound on the number of concurrent executions. In short, we show that any twoparty functionality can be securely computed under boundedconcurrent selfcomposition, in the
Rationality and adversarial behavior in multiparty computation
 Advances in Cryptology — Crypto 2006
, 2006
"... Abstract. We study multiparty computation in the model where none of n participating parties are honest: they are either rational, acting in their selfish interest to maximize their utility, or adversarial, acting arbitrarily. In this new model, which we call the mixedbehavior model, we define a c ..."
Abstract

Cited by 39 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We study multiparty computation in the model where none of n participating parties are honest: they are either rational, acting in their selfish interest to maximize their utility, or adversarial, acting arbitrarily. In this new model, which we call the mixedbehavior model, we define a class of functions that can be computed in the presence of an adversary using a trusted mediator. We then give a protocol that allows the rational parties to emulate the mediator and jointly compute the function such that (1) assuming that each rational party prefers that it learns the output while others do not, no rational party has an incentive to deviate from the protocol; and (2) the rational parties are protected from a malicious adversary controlling ⌈ n ⌉ − 2 of the participants: the 2 adversary can only either cause all rational participants to abort (so no one learns the function they are trying to compute), or can only learn whatever information is implied by the output of the function. 1