35 research outputs found
Composable Adaptive Secure Protocols without Setup under Polytime Assumptions
All previous constructions of general multiparty computation protocols that are secure against adaptive corruptions in the concurrent setting either require some form of setup or non-standard assumptions. In this paper we provide the first general construction of secure multi-party computation protocol without any setup that guarantees composable security in the presence of an adaptive adversary based on standard polynomial-time assumptions. We prove security under the notion of ``UC with super-polynomial helpers\u27\u27 introduced by Canetti et al. (FOCS 2010), which is closed under universal composition and implies ``super-polynomial-time simulation\u27\u27. Moreover, our construction relies on the underlying cryptographic primitives in a black-box manner.
Next, we revisit the zero-one law for two-party secure functions evaluation initiated by the work of Maji, Prabhakaran and Rosulek (CRYPTO 2010). According to this law, every two-party functionality is either trivial (meaning, such functionalities can be reduced to any other functionality) or complete (meaning, any other functionality can be reduced to these functionalities) in the Universal Composability (UC) framework. As our second contribution, assuming the existence of a simulatable public-key encryption scheme, we establish a zero-one law in the adaptive setting. Our result implies that every two-party non-reactive functionality is either trivial or complete in the UC framework in the presence of adaptive, malicious adversaries
Improved Black-Box Constructions of Composable Secure Computation
We close the gap between black-box and non-black-box constructions of secure multiparty computation in the plain model under the assumption of semi-honest oblivious transfer. The notion of protocol composition we target is security, or more precisely, security with super-polynomial helpers. In this notion, both the simulator and the adversary are given access to an oracle called an that can perform some predefined super-polynomial time task. Angel-based security maintains the attractive properties of the universal composition framework while providing meaningful security guarantees in complex environments without having to trust anyone.
Angel-based security can be achieved using non-black-box constructions in rounds where is the round-complexity of the semi-honest oblivious transfer. However, currently, the best known constructions under the same assumption require rounds. If is a constant, the gap between non-black-box and black-box constructions can be a multiplicative factor . We close this gap by presenting a -round black-box construction. We achieve this result by constructing constant-round 1-1 CCA-secure commitments assuming only black-box access to one-way functions
Constant Round Adaptively Secure Protocols in the Tamper-Proof Hardware Model
Achieving constant-round adaptively secure protocols (where all parties can be corrupted) in the plain model is a notoriously hard problem. Very recently, three works published in TCC 2015 (Dachman-Soled et al., Garg and Polychroniadou, Canetti et al.), solved the problem in the Common Reference String (CRS) model. In this work, we present a constant-round adaptive UC-secure computation protocol for all well-formed functionalities in the tamper-proof hardware model using stateless tokens from only one-way functions. In contrast, all prior works in the CRS model require very strong assumptions, in particular, the existence of indistinguishability obfuscation.
As a corollary to our techniques, we present the first adaptively secure protocols in the Random Oracle Model (ROM) with round complexity proportional to the depth of circuit implementing the functionality. Our protocols are secure in the Global Random Oracle Model introduced recently by Canetti, Jain and Scafuro in CCS 2014 that provides strong compositional guarantees. More precisely, we obtain an adaptively secure UC-commitment scheme in the global ROM assuming only one-way functions. In comparison, the protocol of Canetti, Jain and Scafuro achieves only static security and relies on the specific assumption of Discrete Diffie-Hellman assumption (DDH)
Efficient Designated-Verifier Non-Interactive Zero-Knowledge Proofs of Knowledge
We propose a framework for constructing efficient designated-verifier non-interactive zero-knowledge proofs (DVNIZK) for a wide class of algebraic languages over abelian groups, under standard assumptions. The proofs obtained via our framework are proofs of knowledge, enjoy statistical, and unbounded soundness (the soundness holds even when the prover receives arbitrary feedbacks on previous proofs). Previously, no efficient DVNIZK system satisfying any of those three properties was known. Our framework allows proving arbitrary relations between cryptographic primitives such as Pedersen commitments, ElGamal encryptions, or Paillier encryptions, in an efficient way. For the latter, we further exhibit the first non-interactive zero-knowledge proof system in the standard model that is more efficient than proofs obtained via the Fiat-Shamir transform, with still-meaningful security guarantees and under standard assumptions. Our framework has numerous applications, in particular for the design of efficient privacy-preserving non-interactive authentication
MoSS: Modular Security Specifications Framework
Applied cryptographic protocols have to meet a rich set of security requirements under diverse environments and against diverse adversaries. However, currently used security specifications, based on either simulation (e.g., `ideal functionality\u27 in UC) or games, are monolithic, combining together different aspects of protocol requirements, environment and assumptions. Such security specifications are complex, error-prone, and foil reusability, modular analysis and incremental design.
We present the Modular Security Specifications (MoSS) framework, which cleanly separates the security requirements (goals) which a protocol should achieve, from the models (assumptions) under which each requirement should be ensured. This modularity allows us to reuse individual models and requirements across different protocols and tasks, and to compare protocols for the same task, either under different assumptions or satisfying different sets of requirements. MoSS is flexible and extendable, e.g., it can support both asymptotic and concrete definitions for security.
So far, we confirmed the applicability of MoSS to two applications: secure broadcast protocols and PKI schemes
Structure-Preserving and Re-randomizable RCCA-secure Public Key Encryption and its Applications
Re-randomizable RCCA-secure public key encryption (Rand-RCCA PKE) schemes reconcile
the property of re-randomizability of the ciphertexts
with the need of security against chosen-ciphertexts attacks.
In this paper we give a new construction of a Rand-RCCA PKE scheme that is perfectly re-randomizable.
Our construction is structure-preserving, can be instantiated over Type-3 pairing groups, and achieves better computation and communication efficiency than the state of the art perfectly re-randomizable schemes (e.g., Prabhakaran and Rosulek, CRYPTO\u2707).
Next, we revive the Rand-RCCA notion showing new applications where our Rand-RCCA PKE scheme plays a fundamental part:
(1) We show how to turn our scheme into a publicly-verifiable Rand-RCCA scheme;
(2) We construct a malleable NIZK with a (variant of) simulation soundness that allows for re-randomizability;
(3) We propose a new UC-secure Verifiable Mix-Net protocol that is secure in the common reference string model.
Thanks to the structure-preserving property, all these applications are efficient.
Notably, our Mix-Net protocol is the most efficient universally verifiable Mix-Net (without random oracle)
where the CRS is an uniformly random string of size independent of the number of senders.
The property is of the essence when such protocols are used in large scale
Universally Composable Security: A New Paradigm for Cryptographic Protocols
We present a general framework for representing cryptographic protocols and analyzing their security. The framework
allows specifying the security requirements of practically any
cryptographic task in a unified and systematic way.
Furthermore, in this framework the security of protocols
is maintained under a general composition operation, called
universal composition.
The proposed framework with its security-preserving composition property allow for modular design and analysis of complex cryptographic protocols from relatively simple building blocks.
Moreover, within this framework, protocols are guaranteed to maintain their security within any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner.
This is a useful guarantee, that allows arguing about the security of
cryptographic protocols in complex and unpredictable environments such
as modern communication networks
Universal Composition with Global Subroutines: Capturing Global Setup within plain UC
The Global and Externalized UC frameworks [Canetti-Dodis-Pass-Walfish, TCC 07] extend the plain UC framework to additionally handle protocols that use a ``global setup\u27\u27, namely a mechanism that is also used by entities outside the protocol. These frameworks have broad applicability: Examples include public-key infrastructures, common reference strings, shared synchronization mechanisms, global blockchains, or even abstractions such as the random oracle. However, the need to work in a specialized framework has been a source of confusion, incompatibility, and an impediment to broader use.
We show how security in the presence of a global setup can be captured within the plain UC framework, thus significantly simplifying the treatment. This is done as follows:
- We extend UC-emulation to the case where both the emulating protocol and the emulated protocol make subroutine calls to protocol that is accessible also outside and . As usual, this notion considers only a single instance of or (alongside ).
- We extend the UC theorem to hold even with respect to the new notion of UC emulation. That is, we show that if UC-emulates in the presence of , then UC-emulates for any protocol , even when uses directly, and in addition calls many instances of , all of which use the same instance of . We prove this extension using the existing UC theorem as a black box, thus further simplifying the treatment.
We also exemplify how our treatment can be used to streamline, within the plain UC model, proofs of security of systems that involve global set-up, thus providing greater simplicity and flexibility
Secure Computation Without Authentication
Research on secure multiparty computation has mainly concentrated on
the case where the parties can authenticate each other and the
communication between them. This work addresses the question of what
security can be guaranteed when authentication is not available. We
consider a completely unauthenticated setting, where {\em all}
messages sent by the parties may be tampered with and modified by
the adversary without the uncorrupted parties being able to detect
this fact. In this model, it is not possible to achieve the same
level of security as in the authenticated-channel setting.
Nevertheless, we show that meaningful security guarantees {\em
can} be provided: Essentially, all the adversary can do is to
partition the network into disjoint sets, where in each set the
computation is secure in of itself, and also {\em independent} of
the computation in the other sets. In this setting we provide, for
the first time, non-trivial security guarantees in a model with {\em
no setup assumptions whatsoever.} We also obtain similar results
while guaranteeing universal composability, in some variants of the
common reference string model. Finally, our protocols can be used to
provide conceptually simple and unified solutions to a number of
problems that were studied separately in the past, including
password-based authenticated key exchange and non-malleable
commitments. As an application of our results, we study the
question of constructing secure protocols in partially-authenticated
networks, where some of the links are authenticated and some are not
(as is the case in most networks today)