CORE
COnnecting
REpositories

    1,721,013 research outputs found

    Static vs. Adaptive Security in Perfect MPC: A Separation and the Adaptive Security of BGW

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    Adaptive security is a highly desirable property in the design of secure protocols. It tolerates adversaries that corrupt parties as the protocol proceeds, as opposed to static security where the adversary corrupts the parties at the onset of the execution. The well-accepted folklore is that static and adaptive securities are equivalent for perfectly secure protocols. Indeed, this folklore is backed up with a transformation by Canetti et al. (EUROCRYPT'01), showing that any perfectly secure protocol that is statically secure and satisfies some basic requirements is also adaptively secure. Yet, the transformation results in an adaptively secure protocol with inefficient simulation (i.e., where the simulator might run in super-polynomial time even if the adversary runs just in polynomial time). Inefficient simulation is problematic when using the protocol as a sub-routine in the computational setting. Our main question is whether an alternative efficient transformation from static to adaptive security exists. We show an inherent difficulty in achieving this goal generically. In contrast to the folklore, we present a protocol that is perfectly secure with efficient static simulation (therefore also adaptively secure with inefficient simulation), but for which efficient adaptive simulation does not exist (assuming the existence of one-way permutations). In addition, we prove that the seminal protocol of Ben-Or, Goldwasser and Wigderson (STOC'88) is secure against adaptive, semi-honest corruptions with efficient simulation. Previously, adaptive security of the protocol, as is, was only known either for a restricted class of circuits, or for all circuits but with inefficient simulation
    DROPS Dagstuhl Research Online Publication Server
    Cryptology ePrint Archive

    Towards characterizing complete fairness in secure two-party computation

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    The well known impossibility result of Cleve (STOC 1986) implies that in general it is impossible to securely compute a function with complete fairness without an honest majority. Since then, the accepted belief has been that nothing non-trivial can be computed with complete fairness in the two party setting. The surprising work of Gordon, Hazay, Katz and Lindell (STOC 2008) shows that this belief is false, and that there exist some non-trivial (deterministic, nite-domain) boolean functions that can be computed fairly. This raises the fundamental question of characterizing complete fairness in secure two-party computation. In this work we show that not only that some or few functions can be computed fairly, but rather an enormous number of functions can be computed fairly. In fact, almost all boolean functions with distinct domain sizes can be computed with complete fairness (for instance, more than 99:999 % of the boolean functions with domain sizes 31 30). The class of functions that is shown to be possible includes also rather involved and highly non-trivial tasks, such as set-membership, evaluation of a private (boolean) function, private matchmaking and set-disjointness
    CiteSeerX
    Crossref
    Cryptology ePrint Archive

    Simple Is COOL: Graded Dispersal and Its Applications for Byzantine Fault Tolerance

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    The COOL protocol of Chen (DISC'21) is a major advance that enables perfect security for various tasks (in particular, Byzantine Agreement in Synchrony and Reliable Broadcast in Asynchrony). For an input of size L bits, its communication complexity is O(nL+n² log n), which is optimal up to a log n factor. Unfortunately, Chen’s analysis is rather intricate and complex. Our main contribution is a simple analysis of a new variant of COOL based on elementary counting arguments. Our main consistency proof takes less than two pages (instead of over 20 pages), making the COOL protocol much more accessible. In addition, the simple analysis allows us to improve the protocol by reducing one round of communication and reducing the communication complexity by 40%. In addition, we suggest a new way of extracting the core properties of COOL as a new primitive, which we call Graded Dispersal. We show how Graded Dispersal can then be used to obtain efficient solutions for Byzantine Agreement, Verifiable Information Dispersal, Gradecast, and Reliable Broadcast (in both Synchrony and Asynchrony, where appropriate). Our improvement of COOL directly applies here, and we improve the state-of-the-art in all those primitives by reducing at least one round and 40% communication
    DROPS Dagstuhl Research Online Publication Server

    Utility Dependence in Correct and Fair Rational Secret Sharing

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    The problem of carrying out cryptographic computations when the participating parties are \emph{rational} in a game-theoretic sense has recently gained much attention. One problem that has been studied considerably is that of rational secret sharing. In this setting, the aim is to construct a mechanism (protocol) so that parties behaving rationally have incentive to cooperate and provide their shares in the reconstruction phase, even if each party prefers to be the only one to learn the secret. Although this question was only recently asked by Halpern and Teague (STOC 2004), a number of works with beautiful ideas have been presented to solve this problem. However, they all have the property that the protocols constructed need to know the actual utility values of the parties (or at least a bound on them). This assumption is very problematic because the utilities of parties are not public knowledge. We ask whether this \emph{dependence on the actual utility values} is really necessary and prove that in the case of two parties, rational secret sharing cannot be achieved without it. On the positive side, we show that in the multiparty case it is possible to construct a single mechanism that works for all (polynomial) utility functions. Our protocol has an expected number of rounds that is constant, and is optimally resilient to coalitions. In addition to the above, we observe that the known protocols for rational secret sharing that do not assume simultaneous channels all suffer from the problem that one of the parties can cause the others to output an incorrect value. (This problem arises when a party gains higher utility by having another output an incorrect value than by learning the secret itself; we argue that such a scenario needs to be considered.) We show that this problem is inherent in the non-simultaneous channels model, unless the actual values of the parties\u27 utilities from this attack is known, in which case it is possible to prevent this from happening
    Crossref
    Cryptology ePrint Archive

    On Constructing One-Way Permutations from Indistinguishability Obfuscation

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    We prove that there is no black-box construction of a one-way permutation family from a one-way function and an indistinguishability obfuscator for the class of all oracle-aided circuits, where the construction is domain invariant (i.e., where each permutation may have its own domain, but these domains are independent of the underlying building blocks). Following the framework of Asharov and Segev (FOCS \u2715), by considering indistinguishability obfuscation for oracle-aided circuits we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, non-black-box techniques such as the punctured programming approach of Sahai and Waters (STOC \u2714) and its variants, as well as sub-exponential security assumptions. For example, we fully capture the construction of a trapdoor permutation family from a one-way function and an indistinguishability obfuscator due to Bitansky, Paneth and Wichs (TCC \u2716). Their construction is not domain invariant and our result shows that this, somewhat undesirable property, is unavoidable using the common techniques. In fact, we observe that constructions which are not domain invariant circumvent all known negative results for constructing one-way permutations based on one-way functions, starting with Rudich\u27s seminal work (PhD thesis \u2788). We revisit this classic and fundamental problem, and resolve this somewhat surprising gap by ruling out all such black-box constructions -- even those that are not domain invariant
    Cryptology ePrint Archive

    Limits on the power of indistinguishability obfuscation and functional encryption

    Author
    Publication venue
    Publication date
    Field of study
    No full text
    Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a "central hub" for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving long-standing and foundational open problems. However, constructions based on indistinguishability obfuscation almost always rely on non-black-box techniques, and thus the extent to which it can be used as a building block has been completely unexplored so far. We present a framework for proving meaningful negative results on the power of indistinguishability obfuscation. By considering indistinguishability obfuscation for oracle-aided circuits, we capture the common techniques that have been used so far in constructions based on indis-tinguishability obfuscation. These include, in particular, non-black-box techniques such as the punctured programming approach of Sahai and Waters (STOC '14) and its variants, as well as sub-exponential security assumptions. Within our framework we prove the rst negative results on the power of indistinguishability obfuscation and of the tightly related notion of functional encryption. Our results are as follows
    CiteSeerX
    Crossref

    Oblivious Parallel Tight Compaction

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    In tight compaction one is given an array of balls some of which are marked 0 and the rest are marked 1. The output of the procedure is an array that contains all of the original balls except that now the 0-balls appear before the 1-balls. In other words, tight compaction is equivalent to sorting the array according to 1-bit keys (not necessarily maintaining order within same-key balls). Tight compaction is not only an important algorithmic task by itself, but its oblivious version has also played a key role in recent constructions of oblivious RAM compilers. We present an oblivious deterministic algorithm for tight compaction such that for input arrays of n balls requires O(n) total work and O(log n) depth. Our algorithm is in the Exclusive-Read-Exclusive-Write Parallel-RAM model (i.e., EREW PRAM, the most restrictive PRAM model), and importantly we achieve asymptotical optimality in both total work and depth. To the best of our knowledge no earlier work, even when allowing randomization, can achieve optimality in both total work and depth
    DROPS Dagstuhl Research Online Publication Server
    Cryptology ePrint Archive
    Archivio istituzionale della ricerca - Università di Padova

    Perfect (Parallel) Broadcast in Constant Expected Rounds via Statistical VSS

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    We study broadcast protocols in the information-theoretic model under optimal conditions, where the number of corruptions tt is at most one-third of the parties, nn. While worst-case Ω(n)\Omega(n) round broadcast protocols are known to be impossible to achieve, protocols with an expected constant number of rounds have been demonstrated since the seminal work of Feldman and Micali [STOC\u2788]. Communication complexity for such protocols has gradually improved over the years, reaching O(nL)O(nL) plus expected O(n4logn)O(n^4\log n) for broadcasting a message of size LL bits. This paper presents a perfectly secure broadcast protocol with expected constant rounds and communication complexity of O(nL)O(nL) plus expected O(n3log2n)O(n^3 \log^2n) bits. In addition, we consider the problem of parallel broadcast, where nn senders, each wish to broadcast a message of size LL. We show a parallel broadcast protocol with expected constant rounds and communication complexity of O(n2L)O(n^2L) plus expected O(n3log2n)O(n^3 \log^2n) bits. Our protocol is optimal (up to expectation) for messages of length LΩ(nlog2n)L \in \Omega(n \log^2 n). Our main contribution is a framework for obtaining perfectly secure broadcast with an expected constant number of rounds from a statistically secure verifiable secret sharing. Moreover, we provide a new statistically secure verifiable secret sharing where the broadcast cost per participant is reduced from O(nlogn)O(n \log n) bits to only O(polylogn)O({\sf poly} \log n) bits. All our protocols are adaptively secure
    Cryptology ePrint Archive

    A Full Proof of the BGW Protocol for Perfectly-Secure Multiparty Computation

    Author
    Publication venue
    Publication date
    Field of study
    Full text link
    In the setting of secure multiparty computation, a set of nn parties with private inputs wish to jointly compute some functionality of their inputs. One of the most fundamental results of secure computation was presented by Ben-Or, Goldwasser and Wigderson (BGW) in 1988. They demonstrated that any nn-party functionality can be computed with \emph{perfect security}, in the private channels model. When the adversary is semi-honest this holds as long as t<n/2t<n/2 parties are corrupted, and when the adversary is malicious this holds as long as t<n/3t<n/3 parties are corrupted. Unfortunately, a full proof of these results was never published. In this paper, we remedy this situation and provide a full proof of security of the BGW protocol. This includes a full description of the protocol for the malicious setting, including the construction of a new subprotocol for the perfect multiplication protocol that seems necessary for the case of n/4t<n/3n/4\leq t<n/3
    Cryptology ePrint Archive

    On Constructing One-Way Permutations from Indistinguishability Obfuscation

    Author
    Publication venue
    Publication date
    Field of study
    No full text
    Crossref
    corecore