10 research outputs found
Lower and Upper Bounds for Deniable Public-Key Encryption
A deniable cryptosystem allows a sender and a receiver to
communicate over an insecure channel in such a way that the
communication is still secure even if the adversary can threaten the
parties into revealing their internal states after the execution of
the protocol. This is done by allowing the parties to change their
internal state to make it look like a given ciphertext decrypts to a
message different from what it really decrypts to. Deniable
encryption was in this way introduced to allow to deny a message
exchange and hence combat coercion.
Depending on which parties can be coerced, the security level, the
flavor and the number of rounds of the cryptosystem, it is possible
to define a number of notions of deniable encryption.
In this paper we prove that there does not exist any non-interactive
receiver-deniable cryptosystem with better than polynomial
security. This also shows that it is impossible to construct a
non-interactive bi-deniable public-key encryption scheme with better
than polynomial security. Specifically, we give an explicit bound
relating the security of the scheme to how efficient the scheme is
in terms of key size. Our impossibility result establishes a lower
bound on the security.
As a final contribution we give constructions of deniable public-key
encryption schemes which establishes upper bounds on the security in
terms of key length. There is a gap between our lower and upper
bounds, which leaves the interesting open problem of finding the
tight bounds
MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions
One of the main tools to construct secure two-party computation protocols are Yao garbled circuits. Using the cut-and-choose technique, one can get reasonably efficient Yao-based protocols with security against malicious adversaries. At TCC 2009, Nielsen and Orlandi suggested to apply cut-and-choose at the gate level, while previously cut-and-choose was applied on the circuit as a whole. This appealing idea allows for a speed up with practical significance (in the order of the logarithm of the size of the circuit) and has become known as the ``LEGO\u27\u27 construction. Unfortunately the construction by Nielsen and Orlandi is based on a specific number-theoretic assumption and requires public-key operations per gate of the circuit.
The main technical contribution of this work is a new XOR-homomorphic commitment scheme based on oblivious transfer, that we use to cope with the problem of connecting the gates in the LEGO construction. Our new protocol has the following advantages:
\begin{enumerate}
\item
It maintains the efficiency of the LEGO cut-and-choose.
\item
After a number of seed oblivious transfers linear in the security parameter, the construction uses only primitives from Minicrypt (i.e., private-key cryptography) per gate in the circuit (hence the name MiniLEGO).
\item
On the contrary of original LEGO, MiniLEGO is compatible with all known optimization for Yao garbled gates (row reduction, free-XORs, point-and-permute).
\end{enumerate
Signature Schemes Secure Against Hard-to-Invert Leakage
Side-channel attacks allow the adversary to gain partial knowledge of the secret key when cryptographic protocols are implemented in real-world hardware. The goal of leakage resilient cryptography is to design cryptosystems that withstand such attacks. In the auxiliary input model, an adversary is allowed to see a computationally hard-to-invert function of the secret key. The auxiliary input model weakens the bounded leakage assumption commonly made in leakage resilient cryptography as the hard-to-invert function may information-theoretically reveal the entire secret key. In this work, we propose the first constructions of digital signature schemes that are secure in the auxiliary input model. Our main contribution is a digital signature scheme that is secure against chosen message attacks when given any exponentially hard-to-invert function of the secret key. As a second contribution, we construct a signature scheme that achieves security for random messages assuming that the adversary is given a polynomial-time hard-to-invert function (where both the challenge as well as the signatures seen prior to that are computed on random messages). Here, polynomial hardness is required even when given the entire public key. We further show that such signature schemes readily give us auxiliary input secure identification schemes
Signature Schemes Secure against Hard-to-Invert Leakage ⋆
Abstract. In the auxiliary input model an adversary is allowed to see a computationally hardto-invert function of the secret key. The auxiliary input model weakens the bounded leakage assumption commonly made in leakage resilient cryptography as the hard-to-invert function may information-theoretically reveal the entire secret key. In this work, we propose the first constructions of digital signature schemes that are secure in the auxiliary input model. Our main contribution is a digital signature scheme that is secure against chosen message attacks when given an exponentially hard-to-invert function of the secret key. As a second contribution, we construct a signature scheme that achieves security for random messages assuming that the adversary is given a polynomial-time hard to invert function. Here, polynomial-hardness is required even when given the entire public-key – so called weak auxiliary input security. We show that such signature schemes readily give us auxiliary input secure identification schemes
Confidential benchmarking based on multiparty computation
We report on the design and implementation of a system that uses multiparty computation to enable banks to benchmark their customers\u27 confidential performance data against a large representative set of confidential performance data from a consultancy house. The system ensures that both the banks\u27 and the consultancy house\u27s data stays confidential, the banks as clients learn nothing but the computed benchmarking score. In the concrete business application, the developed prototype help Danish banks to find the most efficient customers among a large and challenging group of agricultural customers with too much debt. We propose a model based on linear programming for doing the benchmarking and implement it using the SPDZ protocol by Damgård et al., which we modify using a new idea that allows clients to supply data and get output without having to participate in the preprocessing phase and without keeping state during the computation.
We ran the system with two servers doing the secure computation using a database with information on about 2500 users. Answers arrived in about 25 seconds
High-performance multi-party computation for binary circuits based on oblivious transfer
We present a unified view of the two-party and multi-party computation protocols based on oblivious transfer first outlined in Nielsen et al. (CRYPTO 2012) and Larraia et al. (CRYPTO 2014). We present a number of modifications and improvements to these earlier presentations, as well as full proofs of the entire protocol. Improvements include a unified pre-processing and online MAC methodology, mechanisms to pass between different MAC variants and fixing a minor bug in the protocol of Larraia et al. in relation to a selective failure attack. It also fixes a minor bug in Nielsen et al. resulting from using Jensen’s inequality in the wrong direction in an analysis