16 research outputs found

    Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

    Get PDF
    Ciphertext-Policy Attribute-Based Encryption (CPABE) was introduced by Bethencourt, Sahai, and Waters, as an improvement of Identity Based Encryption, allowing fine grained control of access to encrypted files by restricting access to only users whose attributes match that of the monotonic access tree of the encrypted file. Through these modifications, encrypted files can be placed securely on an unsecure server, without fear of malicious users being able to access the files, while allowing each user to have a unique key, reducing the vulnerabilites associated with sharing a key between multiple users. However, due to the fact that CPABE was designed for the purpose of not using trusted servers, key management strategies such as efficient renewal and immediate key revocation are inherently prevented. In turn, this reduces security of the entire scheme, as a user could maliciously keep a key after having an attribute changed or revoked, using the old key to decrypt files that they should not have access to with their new key. Additionally, the original CPABE implementation provided does not discuss the selection of the underlying bilinear pairing which is used as the cryptographic primitive for the scheme. This thesis explores different possibilites for improvement to CPABE, in both the choice of bilinear group used, as well as support for key management that does not rely on proxy servers while minimizing the communication overhead. Through this work, it was found that nonsupersingular elliptic curves can be used for CPABE, and Barreto-Naehrig curves allowed the fastest encryption and key generation in CHARM, but were the slowest curves for decryption due to the large size of the output group. Key management was performed by using a key-insulation method, which provided helper keys which allow keys to be transformed over different time periods, with revocation and renewal through key update. Unfortunately, this does not allow immediate revocation, and revoked keys are still valid until the end of the time period during which they are revoked. Discussion of other key management methods is presented to show that immediate key revocation is difficult without using trusted servers to control access

    From Fairness to Full Security in Multiparty Computation

    Get PDF
    In the setting of secure multiparty computation (MPC), a set of mutually distrusting parties wish to jointly compute a function, while guaranteeing the privacy of their inputs and the correctness of the output. An MPC protocol is called fully secure if no adversary can prevent the honest parties from obtaining their outputs. A protocol is called fair if an adversary can prematurely abort the computation, however, only before learning any new information. We present highly efficient transformations from fair computations to fully secure computations, assuming the fraction of honest parties is constant (e.g., 1% of the parties are honest). Compared to previous transformations that require linear invocations (in the number of parties) of the fair computation, our transformations require super-logarithmic, and sometimes even super-constant, such invocations. The main idea is to delegate the computation to chosen random committees that invoke the fair computation. Apart from the benefit of uplifting security, the reduction in the number of parties is also useful, since only committee members are required to work, whereas the remaining parties simply listen to the computation over a broadcast channel. One application of these transformations is a new δ\delta-bias coin-flipping protocol, whose round complexity has a super-logarithmic dependency on the number of parties, improving over the protocol of Beimel, Omri, and Orlov (Crypto 2010) that has a linear dependency. A second application is a new fully secure protocol for computing the Boolean OR function, with a super-constant round complexity, improving over the protocol of Gordon and Katz (TCC 2009) whose round complexity is linear in the number of parties. Finally, we show that our positive results are in a sense optimal, by proving that for some functionalities, a super-constant number of (sequential) invocations of the fair computation is necessary for computing the functionality in a fully secure manner

    Is Information-Theoretic Topology-Hiding Computation Possible?

    Get PDF
    Topology-hiding computation (THC) is a form of multi-party computation over an incomplete communication graph that maintains the privacy of the underlying graph topology. Existing THC protocols consider an adversary that may corrupt an arbitrary number of parties, and rely on cryptographic assumptions such as DDH. In this paper we address the question of whether information-theoretic THC can be achieved by taking advantage of an honest majority. In contrast to the standard MPC setting, this problem has remained open in the topology-hiding realm, even for simple privacy-free functions like broadcast, and even when considering only semi-honest corruptions. We uncover a rich landscape of both positive and negative answers to the above question, showing that what types of graphs are used and how they are selected is an important factor in determining the feasibility of hiding topology information-theoretically. In particular, our results include the following. We show that topology-hiding broadcast (THB) on a line with four nodes, secure against a single semi-honest corruption, implies key agreement. This result extends to broader classes of graphs, e.g., THB on a cycle with two semi-honest corruptions. On the other hand, we provide the first feasibility result for information-theoretic THC: for the class of cycle graphs, with a single semi-honest corruption. Given the strong impossibilities, we put forth a weaker definition of distributional-THC, where the graph is selected from some distribution (as opposed to worst-case). We present a formal separation between the definitions, by showing a distribution for which information theoretic distributional-THC is possible, but even topology-hiding broadcast is not possible information-theoretically with the standard definition. We demonstrate the power of our new definition via a new connection to adaptively secure low-locality MPC, where distributional-THC enables parties to reuse a secret low-degree communication graph even in the face of adaptive corruptions

    Concretely Efficient Large-Scale MPC with Active Security (or, TinyKeys for TinyOT)

    Get PDF
    In this work we develop a new theory for concretely efficient, large-scale MPC with active security. Current practical techniques are mostly in the strong setting of all-but-one corruptions, which leads to protocols that scale badly with the number of parties. To work around this issue, we consider a large-scale scenario where a small minority out of many parties is honest and design scalable, more efficient MPC protocols for this setting. Our results are achieved by introducing new techniques for information-theoretic MACs with short keys and extending the work of Hazay et al. (CRYPTO 2018), which developed new passively secure MPC protocols in the same context. We further demonstrate the usefulness of this theory in practice by analyzing the concrete communication overhead of our protocols, which improve upon the most efficient previous works

    Broadcast-Optimal Four-Round MPC in the Plain Model

    Get PDF
    Motivated by the fact that broadcast is an expensive, but useful, resource for the realization of multi-party computation protocols (MPC), Cohen, Garay, and Zikas (Eurocrypt 2020), and subsequently Damgård, Magri, Ravi, Siniscalchi and Yakoubov (Crypto 2021), and, Damgård, Ravi, Siniscalchi and Yakoubov (Eurocrypt 2023), focused on - . In particular, the authors focus on two-round MPC protocols (in the CRS model), and give tight characterizations of which security guarantees are achievable if broadcast is available in the first round, the second round, both rounds, or not at all. This work considers the natural question of characterizing broadcast optimal MPC in the plain model where no set-up is assumed. We focus on four-round protocols, since four is known to be the minimal number of rounds required to securely realize any functionality with black-box simulation. We give a complete characterization of which security guarantees, (namely selective abort, selective identifiable abort, unanimous abort and identifiable abort) are feasible or not, depending on the exact selection of rounds in which broadcast is available

    On Efficient Zero-Knowledge Arguments

    Get PDF

    New Random Oracle Instantiations from Extremely Lossy Functions

    Get PDF
    We instantiate two random oracle (RO) transformations using Zhandry\u27s extremely lossy function (ELF) technique (Crypto\u2716). Firstly, using ELFs and indistinguishabililty obfuscation (iO), we instantiate a modified version of the Fujisaki-Okamoto (FO) transform which upgrades a public-key encryption scheme (PKE) from indistinguishability under chosen plaintext attacks (IND-CPA) to indistinguishability under chosen ciphertext attacks (IND-CCA). We side-step a prior uninstantiability result for FO by Brzuska, Farshim, and Mittelbach (TCC\u2715) by (1) hiding the randomness from the (potentially ill-designed) IND-CPA encryption scheme and (2) embedding an additional secret related to the hash-function into the secret-key of the IND-CCA-secure PKE, an idea brought forward by Murphy, O’Neill, Zaheri (Asiacrypt 2022) who also instantiate a modified FO variant also under ELFs and iO for the class of lossy PKE. Our transformation applies to all PKE which can be inverted given their randomness. Secondly, we instantiate the hash-then-evaluate paradigm for pseudorandom functions (PRFs), PRFnew(k,x):=wPRF(k,RO(x))\mathsf{PRF}_\mathsf{new}(k,x):=\mathsf{wPRF}(k,\mathsf{RO}(x)). Our construction replaces RO\mathsf{RO} by PRFold(kpub,elf(x))\mathsf{PRF}_\mathsf{old}(k_\mathsf{pub},\mathsf{elf}(x)) with a key kpubk_\mathsf{pub}, that, unusually, is known to the distinguishing adversary against PRFnew\mathsf{PRF}_\mathsf{new}. We start by observing that several existing weak PRF candidates are plausibly also secure under such distributions of pseudorandom inputs, generated by PRFold\mathsf{PRF}_\mathsf{old}. Firstly, analogous cryptanalysis applies and/or an attack with such pseudorandom inputs would imply surprising results such as key agreement from the high-noise version of the Learning Parity with Noise (LPN) assumption. Our simple transformation applies to the entire family of PRF-style functions. Specifically, we obtain results for oblivious PRFs, which are a core building block for password-based authenticated key exchange (PAKE) and private set intersection (PSI) protocols, and we also obtain results for pseudorandom correlation functions (PCF), which are a key tool for silent oblivious transfer (OT) extension

    SoK: Vector OLE-Based Zero-Knowledge Protocols

    Get PDF
    A zero-knowledge proof is a cryptographic protocol where a prover can convince a verifier that a statement is true, without revealing any further information except for the truth of the statement. More precisely, if xx is a statement from an NP language verified by an efficient machine MM, then a zero-knowledge proof aims to prove to the verifier that there exists a witness ww such that M(x,w)=1M(x,w)=1, without revealing any further information about ww. The proof is a proof of knowledge, if the prover additionally convinces the verifier that it knows the witness ww, rather than just of its existence. This article is a survey of recent developments in building practical systems for zero-knowledge proofs of knowledge using vector oblivious linear evaluation (VOLE), a tool from secure two-party computation

    Minimizing Setup in Broadcast-Optimal Two Round MPC

    Get PDF
    In this paper we consider two-round secure computation protocols which use different communication channels in different rounds: namely, protocols where broadcast is available in neither round, both rounds, only the first round, or only the second round. The prior works of Cohen, Garay and Zikas (Eurocrypt 2020) and Damgård, Magri, Ravi, Siniscalchi and Yakoubov (Crypto 2021) give tight characterizations of which security guarantees are achievable for various thresholds in each communication structure. In this work, we introduce a new security notion, namely, selective identifiable abort, which guarantees that every honest party either obtains the output, or aborts identifying one corrupt party (where honest parties may potentially identify different corrupted parties). We investigate what broadcast patterns in two-round MPC allow achieving this guarantee across various settings (such as with or without PKI, with or without an honest majority). Further, we determine what is possible in the honest majority setting without a PKI, closing a question left open by Damgård et al. We show that without a PKI, having an honest majority does not make it possible to achieve stronger security guarantees compared to the dishonest majority setting. However, if two-thirds of the parties are guaranteed to be honest, identifiable abort is additionally achievable using broadcast only in the second round. We use fundamentally different techniques from the previous works to avoid relying on private communication in the first round when a PKI is not available, since assuming such private channels without the availability of public encryption keys is unrealistic. We also show that, somewhat surprisingly, the availability of private channels in the first round does not enable stronger security guarantees unless the corruption threshold is one

    LIPIcs, Volume 251, ITCS 2023, Complete Volume

    Get PDF
    LIPIcs, Volume 251, ITCS 2023, Complete Volum
    corecore