2 research outputs found
Adaptively Secure Broadcast
A broadcast protocol allows a sender to distribute a message through a
point-to-point network to a set of parties, such that (i) all parties
receive the same message, even if the sender is corrupted, and (ii) this is
the sender\u27s message, if he is honest.
Broadcast protocols satisfying these properties are known to exist if and
only if , where denotes the total number of parties, and
denotes the maximal number of corruptions. When a setup allowing signatures
is available to the parties, then such protocols exist even for .
Broadcast is the probably most fundamental primitive in distributed
cryptography, and is used in almost any cryptographic (multi-party)
protocol. However, a broadcast protocol ``only\u27\u27 satisfying the above
properties might be insecure when being used in the context of another
protocol. In order to be safely usable within other protocols, a broadcast
protocol must satisfy a simulation-based security notion, which is secure
under composition.
In this work, we show that most broadcast protocols in the literature do
not satisfy a (natural) simulation-based security notion. We do not know of
any broadcast protocol which could be securely invoked in a multi-party
computation protocol in the secure-channels model. The problem is that
existing protocols for broadcast do not preserve the secrecy of the message
while being broadcasted, and in particular allow the adversary to corrupt
the sender (and change the message), depending on the message being
broadcasted. For example, when every party should broadcast a random bit,
the adversary could corrupt those parties that want to broadcast 0, and
make them broadcast 1.
More concretely, we show that simulatable broadcast in a model with secure
channels is possible if and only if , respectively when
a signature setup is available. The positive results are proven by
constructing secure broadcast protocols
Ballot secrecy: Security definition, sufficient conditions, and analysis of Helios
We propose a definition of ballot secrecy as an indistinguishability game in the
computational model of cryptography. Our definition improves upon
earlier definitions to ensure
ballot secrecy is preserved in the presence
of an adversary that controls
ballot collection.
We also propose
a definition
of ballot independence as
an adaptation of an indistinguishability game
for asymmetric
encryption. We prove relations between our definitions. In particular, we prove
ballot independence is sufficient for ballot secrecy in voting systems with
zero-knowledge tallying proofs. Moreover, we prove that building
systems
from non-malleable asymmetric encryption schemes suffices for ballot secrecy,
thereby eliminating
the expense of ballot-secrecy proofs for a class
of encryption-based voting systems. We demonstrate applicability of
our results by analysing the Helios voting system and its mixnet variant.
Our analysis reveals that Helios does not satisfy ballot secrecy in the presence of
an adversary that controls
ballot collection. The
vulnerability cannot be detected by earlier definitions of ballot secrecy, because
they do not consider such adversaries. We adopt non-malleable ballots
as a fix and prove that the fixed system satisfies ballot secrecy