164 research outputs found
FortifiedIPS: Increasing the Security of Multi-Party Computation by Diverse Redundancy
In dieser Arbeit präsentieren wir einen Ansatz, mit dem die Sicherheit von Protokollen für
multi-party-computations (MPC) verbessert werden kann. Dafür gehen wir davon aus, dass
Protokollteilnehmer aus mehreren Geräten mit unterschiedlicher Zusammensetzung von Hardware, Software und Betriebssystemen bestehen. Dies wird als diverse Redundanz bezeichnet.
Dazu wird die Annahme getroffen, dass redundante Geräte aufgrund ihres unterschiedlichen
Aufbaus nicht alle gleichzeitig korrumpiert werden können. Auf dieser Basis konstruieren wir
ein MPC Protokoll, das sicher bleibt, selbst wenn die letzte ehrlich Partei teilweise korrumpiert
wird.
Um die Annahme formal zu beschreiben, schlagen wir ein Korruptionsmodell vor, das zwei
unterschiedliche Typen von Korruptionen vorsieht. Um Angriffe über physikalischen Zugriff
auf Geräte zu beschreiben, wird der übliche aktive Angriff benutzt. Angriffe über das Netzwerk werden jedoch eingeschränkt, um zu modellieren, dass solche Angriffe auf vorhandene
Sicherheitslücken angewiesen sind. Wenn Systeme in diverser Redundanz vorliegen, ist es
unwahrscheinlich, dass sie alle zur selben Zeit Sicherheitslücken aufweisen. Dieser Ansatz
wird in der praktischen IT-Sicherheit bereits eingesetzt, wurde, so weit wir wissen, aber noch
nicht verwendet, um formale Sicherheitsgarantien zu geben.
Viele kryptographische Protokolle machen (implizit) die Annahme, dass jede Partei aus
nur einem physikalischen Gerät besteht. Deshalb wird eine Partei dann entweder vollständig
korrumpiert oder bleibt komplett ehrlich. Deshalb ist es für unsere Zwecke notwendig, Parteien
in mehrere Geräte aufzuteilen. Diese Geräte führen dann ein Protokoll aus, mit dem eine
ganze Partei realisiert wird. Um wichtige Stellen zu schützen, an denen die ganze Partei auf
einmal korrumpiert werden könnte, setzen wir das MPC Protokoll SPDZ [Dam+13] ein. Hier
nutzen wir aus, dass SPDZ nur innerhalb einer Partei eingesetzt wird. Hier vertrauen sich die
Geräte, zumindest zu Beginn, bevor Korruptionen stattfinden können. Dieses initiale Vertrauen
erlaubt es, den aufwändigsten Teil von SPDZ, die Vorverarbeitungsphase, zu überspringen.
Dieser Ansatz verursacht linearen zusätzlichen Aufwand im Vergleich zu herkömmlichen
Protokollen. Dafür wird sichergestellt, dass Parteien, die bis zu einem Viertel ihrer Geräte
aufgrund von Korruptionen verlieren, weiter als ehrliche Parteien am Protokoll teilnehmen
können. Außerdem bleibt ihre Ein- und Ausgabe geheim
Combiners for Functional Encryption, Unconditionally
Functional encryption (FE) combiners allow one to combine many candidates for a functional encryption scheme, possibly based on different computational assumptions, into another functional encryption candidate with the guarantee that the resulting candidate is secure as long as at least one of the original candidates is secure. The fundamental question in this area is whether FE combiners exist.
There have been a series of works (Ananth et. al. (CRYPTO \u2716), Ananth-Jain-Sahai (EUROCRYPT \u2717), Ananth et. al (TCC \u2719)) on constructing FE combiners from various assumptions.
We give the first unconditional construction of combiners for functional encryption, resolving this question completely. Our construction immediately implies an unconditional universal functional encryption scheme, an FE scheme that is secure if such an FE scheme exists. Previously such results either relied on algebraic assumptions or required subexponential security assumptions
From FE Combiners to Secure MPC and Back
Functional encryption (FE) has incredible applications towards computing on encrypted data. However, constructing the most general form of this primitive has remained elusive. Although some candidate constructions exist, they rely on nonstandard assumptions, and thus, their security has been questioned. An FE combiner attempts to make use of these candidates while minimizing the trust placed on any individual FE candidate. Informally, an FE combiner takes in a set of FE candidates and outputs a secure FE scheme if at least one of the candidates is secure.
Another fundamental area in cryptography is secure multi-party computation (MPC), which has been extensively studied for several decades. In this work, we initiate a formal study of the relationship between functional encryption (FE) combiners and secure multi-party computation (MPC). In particular, we show implications in both directions between these primitives. As a consequence of these implications, we obtain the following main results.
1) A two round semi-honest MPC protocol in the plain model secure against up to (n-1) corruptions with communication complexity proportional only to the depth of the circuit being computed assuming LWE. Prior two round protocols that achieved this communication complexity required a common reference string.
2) A functional encryption combiner based on pseudorandom generators (PRGs) in NC^1. Such PRGs can be instantiated from assumptions such as DDH and LWE. Previous constructions of FE combiners were known only from the learning with errors assumption. Using this result, we build a universal construction of functional encryption: an explicit construction of functional encryption based only on the assumptions that functional encryption exists and PRGs in NC^1
Round-Optimal and Communication-Efficient Multiparty Computation
Typical approaches for minimizing the round complexity of multiparty computation (MPC) come at the cost of increased communication complexity (CC) or the reliance on setup assumptions. A notable exception is the recent work of Ananth et al. [TCC 2019], which used Functional Encryption (FE) combiners to obtain a round optimal (two-round) semi-honest MPC in the plain model with a CC proportional to the depth and input-output length of the circuit being computed—we refer to such protocols as circuit scalable. This leaves open the question of obtaining communication efficient protocols that are secure against malicious adversaries in the plain model, which we present in this work. Concretely, our two main contributions are:
1) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into circuit-scalable maliciously secure MPC protocols in the plain model, assuming (succinct) FE combiners.
2) We provide a round-preserving black-box compiler that compiles a wide class of MPC protocols into circuit-independent— i.e., with a CC that depends only on the input-output length of the circuit—maliciously secure MPC protocols in the plain model, assuming Multi-Key Fully-Homomorphic Encryption (MFHE). Our constructions are based on a new compiler that turns a wide class of MPC protocols into k-delayed-input function MPC protocols (a notion we introduce), where the function that is being computed is specified only in the k-th round of the protocol.
As immediate corollaries of our two compilers, we derive (1) the first round-optimal and circuit-scalable maliciously secure MPC protocol, and (2) the first round-optimal and circuit-independent maliciously secure MPC protocol in the plain model. The latter achieves the best to-date CC for a round-optimal maliciously secure MPC protocol. In fact, it is even communication-optimal when the output size of the function being evaluated is smaller than its input size (e.g., for boolean functions). All of our results are based on standard polynomial time assumptions
07381 Abstracts Collection -- Cryptography
From 16.09.2007 to 21.09.2007 the Dagstuhl Seminar 07381 ``Cryptography\u27\u27 was held
in the International Conference and Research Center (IBFI), Schloss Dagstuhl.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar as well as abstracts of
seminar results and ideas are put together in this paper. The first section
describes the seminar topics and goals in general.
Links to extended abstracts or full papers are provided, if available
The Price of Low Communication in Secure Multi-Party Computation
Traditional protocols for secure multi-party computation among n parties
communicate at least a linear (in n) number of bits, even when computing very
simple functions. In this work we investigate the feasibility of protocols
with sublinear communication complexity. Concretely, we consider two clients,
one of which may be corrupted, who wish to perform some “small” joint
computation using n servers but without any trusted setup. We show that
enforcing sublinear communication complexity drastically affects the
feasibility bounds on the number of corrupted parties that can be tolerated in
the setting of information-theoretic security.
We provide a complete investigation of security in the presence of semi-honest
adversaries---static and adaptive, with and without erasures---and initiate
the study of security in the presence of malicious adversaries. For
semi-honest static adversaries, our bounds essentially match the corresponding
bounds when there is no communication restriction---i.e., we can tolerate up
to t < (1/2 - \epsilon)n corrupted parties. For the adaptive case, however,
the situation is different. We prove that without erasures
even a small constant fraction of corruptions is intolerable, and---more
surprisingly---when erasures are allowed, we prove that t < (1- \sqrt(0.5)
-\epsilon)n corruptions can be tolerated, which we also show to be essentially
optimal. The latter optimality proof hinges on a new treatment of
probabilistic adversary structures that may be of independent interest. In the
case of active corruptions in the sublinear communication setting, we prove
that static “security with abort” is feasible when t < (1/2 - \epsilon)n,
namely, the bound that is tight for semi-honest security. All of our negative
results in fact rule out protocols with sublinear message complexity
- …