Catálogo de publicaciones - libros

We consider the cryptographic two-party protocol task of extending a given coin toss. The goal is to generate common random coins from a single use of an ideal functionality which gives < common random coins to the parties. In the framework of Universal Composability we show the impossibility of securely extending a coin toss for statistical and perfect security. On the other hand, for computational security the existence of a protocol for coin toss extension depends on the number of random coins which can be obtained “for free”.

For the case of stand-alone security, i.e., a simulation based security definition without an environment, we present a novel protocol for unconditionally secure coin toss extension. The new protocol works for superlogarithmic , which is optimal as we show the impossibility of statistically secure coin toss extension for smaller .

Combining our results with already known results, we obtain a (nearly) complete characterization under which circumstances coin toss extension is possible.

We consider the framework of secure -party computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damgård, and Nielsen at Eurocrypt 2001. When used with Paillier’s cryptosystem, this framework allows for efficient secure evaluation of any arithmetic circuit defined over ℤ, where is the RSA modulus of the underlying Paillier cryptosystem.

In this paper, we extend the scope of the framework by considering the problem of converting a given Paillier encryption of a value  ∈ ℤ into Paillier encryptions of the bits of . We present solutions for the general case in which can be any integer in {0,1,..., – 1}, and for the restricted case in which < /(2) for a security parameter . In the latter case, we show how to extract the ℓ least significant bits of (in encrypted form) in time proportional to ℓ, typically saving a factor of log /ℓ compared to the general case.

Thus, intermediate computations that rely in an essential way on the binary representations of their input values can be handled without enforcing that the computation is done bitwise. Typical examples involve the relational operators such as < and =. As a specific scenario we will consider the setting for (approximate) matching of biometric templates, given as bit strings.

The standard security definition of unconditional secure function evaluation, which is based on the ideal/real model paradigm, has the disadvantage of being overly complicated to work with in practice. On the other hand, simpler ad-hoc definitions tailored to special scenarios have often been flawed. Motivated by this unsatisfactory situation, we give an information-theoretic security definition of secure function evaluation which is very simple yet provably equivalent to the standard, simulation-based definitions.

We introduce and motivate the concept of unclonable group identification, that provides maximal protection against sharing of identities while still protecting the anonymity of users. We prove that the notion can be realized from any one-way function and suggest a more efficient implementation based on specific assumptions.

We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let be the total number of users. Our system generates ciphertexts of size and private keys of size (1). We first introduce a simpler primitive we call (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with size ciphertexts. Our system uses bilinear maps in groups of composite order.

We present the currently simplest, most efficient, optimally resilient, adaptively secure, and proactive threshold RSA scheme. A main technical contribution is a new rewinding strategy for analysing threshold signature schemes. This new rewinding strategy allows to prove adaptive security of a proactive threshold signature scheme which was previously assumed to be only statically secure. As a separate contribution we prove that our protocol is secure in the UC framework.