Covert Security with Public Verifiability: Faster, Leaner, and Simpler

The notion of covert security for secure two-party computation serves as a compromise between the traditional semi-honest and malicious security definitions. Roughly, covert security ensures that cheating behavior is detected by the honest party with reasonable probability. It provides more realistic guarantees than semi-honest security with significantly less overhead than is required by malicious security. The rationale for covert security is that it dissuades cheating by parties that care about their reputation and do not want to risk being caught. Further thought, however, shows that a much stronger disincentive is obtained if the honest party can generate a publicly verifiable certificate of misbehavior when cheating is detected. While the corresponding notion of publicly verifiable covert (PVC) security has been explored, existing PVC protocols are complex and less efficient than the best-known covert protocols, and have impractically large certificates. We propose a novel PVC protocol that significantly improves on prior work. Our protocol uses only ``off-the-shelf\u27\u27 primitives (in particular, it avoids signed oblivious transfer) and, for deterrence factor 1/2, has only 20-40% overhead (depending on the circuit size and network bandwidth) compared to state-of-the-art semi-honest protocols. Our protocol also has, for the first time, constant-size certificates of cheating (e.g., 354 bytes long at the 128-bit security level). As our protocol offers strong security guarantees with low overhead, we suggest that it is the best choice for many practical applications of secure two-party computation

The Exact Round Complexity of Secure Computation

We revisit the exact round complexity of secure computation in the multi-party and two-party settings. For the special case of two-parties without a simultaneous message exchange channel, this question has been extensively studied and resolved. In particular, Katz and Ostrovsky (CRYPTO \u2704) proved that 5 rounds are necessary and sufficient for securely realizing every two-party functionality where both parties receive the output. However, the exact round complexity of general multi-party computation, as well as two-party computation with a simultaneous message exchange channel, is not very well understood. These questions are intimately connected to the round complexity of non-malleable commitments. Indeed, the exact relationship between the round complexities of non-malleable commitments and secure multi-party computation has also not been explored. In this work, we revisit these questions and obtain several new results. First, we establish the following main results. Suppose that there exists a k-round non-malleable commitment scheme, and let k\u27 = max(4, k + 1); then, – (Two-party setting with simultaneous message transmission): there exists a k\u27-round protocol for securely realizing every two-party functionality; – (Multi-party setting):there exists a k\u27-round protocol for securely realizing the multi-party coin-flipping functionality. As a corollary of the above results, by instantiating them with existing non-malleable commitment protocols (from the literature), we establish that four rounds are both necessary and sufficient for both the results above. Furthermore, we establish that, for every multi-party functionality five rounds are sufficient. We actually obtain a variety of results offering trade-offs between rounds and the cryptographic assumptions used, depending upon the particular instantiations of underlying protocols

Efficient UC Commitment Extension with Homomorphism for Free (and Applications)

Homomorphic universally composable (UC) commitments allow for the sender to reveal the result of additions and multiplications of values contained in commitments without revealing the values themselves while assuring the receiver of the correctness of such computation on committed values. In this work, we construct essentially optimal additively homomorphic UC commitments from any (not necessarily UC or homomorphic) extractable commitment. We obtain amortized linear computational complexity in the length of the input messages and rate 1. Next, we show how to extend our scheme to also obtain multiplicative homomorphism at the cost of asymptotic optimality but retaining low concrete complexity for practical parameters. While the previously best constructions use UC oblivious transfer as the main building block, our constructions only require extractable commitments and PRGs, achieving better concrete efficiency and offering new insights into the sufficient conditions for obtaining homomorphic UC commitments. Moreover, our techniques yield public coin protocols, which are compatible with the Fiat-Shamir heuristic. These results come at the cost of realizing a restricted version of the homomorphic commitment functionality where the sender is allowed to perform any number of commitments and operations on committed messages but is only allowed to perform a single batch opening of a number of commitments. Although this functionality seems restrictive, we show that it can be used as a building block for more efficient instantiations of recent protocols for secure multiparty computation and zero knowledge non-interactive arguments of knowledge

Security and Efficiency Analysis of the Hamming Distance Computation Protocol Based on Oblivious Transfer

open access articleBringer et al. proposed two cryptographic protocols for the computation of Hamming distance. Their first scheme uses Oblivious Transfer and provides security in the semi-honest model. The other scheme uses Committed Oblivious Transfer and is claimed to provide full security in the malicious case. The proposed protocols have direct implications to biometric authentication schemes between a prover and a verifier where the verifier has biometric data of the users in plain form. In this paper, we show that their protocol is not actually fully secure against malicious adversaries. More precisely, our attack breaks the soundness property of their protocol where a malicious user can compute a Hamming distance which is different from the actual value. For biometric authentication systems, this attack allows a malicious adversary to pass the authentication without knowledge of the honest user's input with at most $O(n)$ complexity instead of $O(2^n)$, where $n$ is the input length. We propose an enhanced version of their protocol where this attack is eliminated. The security of our modified protocol is proven using the simulation-based paradigm. Furthermore, as for efficiency concerns, the modified protocol utilizes Verifiable Oblivious Transfer which does not require the commitments to outputs which improves its efficiency significantly

Dispelling Myths on Superposition Attacks: Formal Security Model and Attack Analyses

It is of folkloric belief that the security of classical cryptographic protocols is automatically broken if the Adversary is allowed to perform superposition queries and the honest players forced to perform actions coherently on quantum states. Another widely held intuition is that enforcing measurements on the exchanged messages is enough to protect protocols from these attacks. However, the reality is much more complex. Security models dealing with superposition attacks only consider unconditional security. Conversely, security models considering computational security assume that all supposedly classical messages are measured, which forbids by construction the analysis of superposition attacks. Boneh and Zhandry have started to study the quantum computational security for classical primitives in their seminal work at Crypto'13, but only in the single-party setting. To the best of our knowledge, an equivalent model in the multiparty setting is still missing. In this work, we propose the first computational security model considering superposition attacks for multiparty protocols. We show that our new security model is satisfiable by proving the security of the well-known One-Time-Pad protocol and give an attack on a variant of the equally reputable Yao Protocol for Secure Two-Party Computations. The post-mortem of this attack reveals the precise points of failure, yielding highly counter-intuitive results: Adding extra classical communication, which is harmless for classical security, can make the protocol become subject to superposition attacks. We use this newly imparted knowledge to construct the first concrete protocol for Secure Two-Party Computation that is resistant to superposition attacks. Our results show that there is no straightforward answer to provide for either the vulnerabilities of classical protocols to superposition attacks or the adapted countermeasures.Comment: 46 page

Theory of the propagation of coupled waves in arbitrarily-inhomogeneous stratified media

We generalize the invariant imbedding theory of the wave propagation and derive new invariant imbedding equations for the propagation of arbitrary number of coupled waves of any kind in arbitrarily-inhomogeneous stratified media, where the wave equations are effectively one-dimensional. By doing this, we transform the original boundary value problem of coupled second-order differential equations to an initial value problem of coupled first-order differential equations, which makes the numerical solution of the coupled wave equations much easier. Using the invariant imbedding equations, we are able to calculate the matrix reflection and transmission coefficients and the wave amplitudes inside the inhomogeneous media exactly and efficiently. We establish the validity and the usefulness of our results by applying them to the propagation of circularly-polarized electromagnetic waves in one-dimensional photonic crystals made of isotropic chiral media. We find that there are three kinds of bandgaps in these structures and clarify the nature of these bandgaps by exact calculations.Comment: 7 pages, 1 figure, to appear in Europhys. Let

Prospective Epidemiological Observations on the Course of the Disease in Fibromyalgia Patients

OBJECTIVES: The aim of the study was to carry out a survey in patients with fibromyalgia (FM), to examine their general health status and work incapacity (disability-pension status), and their views on the effectiveness of therapy received, over a two-year observation period. METHODS: 48 patients diagnosed with FM, according to the American College of Rheumatology (ACR) criteria, took part in the study. At baseline, and on average two years later, the patients underwent clinical investigation (dolorimetry, laboratory diagnostics, medical history taking) and completed the Fibromyalgia questionnaire (Dettmer and Chrostek [1]). RESULTS: 27/48 (56%) patients participated in the two-year follow-up. In general, the patients showed no improvement in their symptoms over the observation period, regardless of the type of therapy they had received. General satisfaction with quality of life improved, as did satisfaction regarding health status and the family situation, although the degree of pain experienced remain unchanged. In comparison with the initial examination, there was no change in either work-capacity or disability-pension status. CONCLUSIONS: The FM patients showed no improvement in pain, despite the many various treatments received over the two-year period. The increase in general satisfaction over the observation period was believed to be the result of patient instruction and education about the disease. To what extent a population of patients with FM would show similar outcomes if they did not receive any instruction/education about their disorder, cannot be ascertained from the present study; and, indeed, the undertaking of a study to investigate this would be ethically questionable. As present, no conclusions can be made regarding the influence of therapy on the primary and secondary costs associated with FM

On the Gold Standard for Security of Universal Steganography

While symmetric-key steganography is quite well understood both in the information-theoretic and in the computational setting, many fundamental questions about its public-key counterpart resist persistent attempts to solve them. The computational model for public-key steganography was proposed by von Ahn and Hopper in EUROCRYPT 2004. At TCC 2005, Backes and Cachin gave the first universal public-key stegosystem - i.e. one that works on all channels - achieving security against replayable chosen-covertext attacks (SS-RCCA) and asked whether security against non-replayable chosen-covertext attacks (SS-CCA) is achievable. Later, Hopper (ICALP 2005) provided such a stegosystem for every efficiently sampleable channel, but did not achieve universality. He posed the question whether universality and SS-CCA-security can be achieved simultaneously. No progress on this question has been achieved since more than a decade. In our work we solve Hopper's problem in a somehow complete manner: As our main positive result we design an SS-CCA-secure stegosystem that works for every memoryless channel. On the other hand, we prove that this result is the best possible in the context of universal steganography. We provide a family of 0-memoryless channels - where the already sent documents have only marginal influence on the current distribution - and prove that no SS-CCA-secure steganography for this family exists in the standard non-look-ahead model.Comment: EUROCRYPT 2018, llncs styl

Taxing the Informal Economy: The Current State of Knowledge and Agendas for Future Research

This paper reviews the literature on taxation of the informal economy, taking stock of key debates and drawing attention to recent innovations. Conventionally, the debate on whether to tax has frequently focused on the limited revenue potential, high cost of collection, and potentially adverse impact on small firms. Recent arguments have increasingly emphasised the more indirect benefits of informal taxation in relation to economic growth, broader tax compliance, and governance. More research is needed, we argue, into the relevant costs and benefits for all, including quasi-voluntary compliance, political and administrative incentives for reform, and citizen-state bargaining over taxation