The Impossibility Of Secure Two-Party Classical Computation

We present attacks that show that unconditionally secure two-party classical computation is impossible for many classes of function. Our analysis applies to both quantum and relativistic protocols. We illustrate our results by showing the impossibility of oblivious transfer.Comment: 10 page

Flexible and Robust Privacy-Preserving Implicit Authentication

Implicit authentication consists of a server authenticating a user based on the user's usage profile, instead of/in addition to relying on something the user explicitly knows (passwords, private keys, etc.). While implicit authentication makes identity theft by third parties more difficult, it requires the server to learn and store the user's usage profile. Recently, the first privacy-preserving implicit authentication system was presented, in which the server does not learn the user's profile. It uses an ad hoc two-party computation protocol to compare the user's fresh sampled features against an encrypted stored user's profile. The protocol requires storing the usage profile and comparing against it using two different cryptosystems, one of them order-preserving; furthermore, features must be numerical. We present here a simpler protocol based on set intersection that has the advantages of: i) requiring only one cryptosystem; ii) not leaking the relative order of fresh feature samples; iii) being able to deal with any type of features (numerical or non-numerical). Keywords: Privacy-preserving implicit authentication, privacy-preserving set intersection, implicit authentication, active authentication, transparent authentication, risk mitigation, data brokers.Comment: IFIP SEC 2015-Intl. Information Security and Privacy Conference, May 26-28, 2015, IFIP AICT, Springer, to appea

Sequential Iteration of Interactive Arguments and an Efficient Zero-Knowledge Argument for NP

We study the behavior of interactive arguments under sequential iteration, in particular how this affects the error probability. This problem turns out to be more complex than one might expect from the fact that for interactive proofs, the error trivially decreases exponentially in the number of iterations.In particular, we study the typical efficient case where the iterated protocol is based on a single instance of a computational problem. This is not a special case of independentiterations of an entire protocol, and real exponential decrease of the error cannot be expected, but nevertheless, for practical applications, one needs concrete relationsbetween the complexity and error probability of the underlying problem and that of the iterated protocol. We show how this problem can be formalized and solved using thetheory of proofs of knowledge. We also prove that in the non-uniform model of complexity the error probabilityof independent iterations of an argument does indeed decrease exponentially - to our knowledge this is the first result about a strictly exponentially small error probability in a computational cryptographic security property. As an illustration of our first result, we present a very efficient zero-knowledge argumentfor circuit satisfiability, and thus for any NP problem, based on any collision-intractable hash function. Our theory applies to show the soundness of this protocol. Using an efficient hash function such as SHA-1, the protocol can handle about 20000 binary gates per second at an error level of 2^−50.Keywords -- Interactive proofs, arguments, proofs of knowledge, computational security,efficient general primitives, multi-bit commitment, statistical zero-knowledge

Statistical Secrecy and Multi-Bit Commitments

We present and compare definitions of the notion of "statisticallyhiding" protocols, and we propose a novel statistically hiding commitmentscheme. Informally, a protocol statistically hides a secret if acomputationally unlimited adversary who conducts the protocol withthe owner of the secret learns almost nothing about it. One definitionis based on the L1-norm distance between probability distributions,the other on information theory. We prove that the two definitions areessentially equivalent. For completeness, we also show that statisticalcounterparts of definitions of computational secrecy are essentiallyequivalent to our main definitions. Commitment schemes are an important cryptologic primitive. Their purpose is to commit one party to a certain value, while hiding this value from the other party until some later time. We present a statisticallyhiding commitment scheme allowing commitment to manybits. The commitment and reveal protocols of this scheme are constantround, and the size of a commitment is independent of the number ofbits committed to. This also holds for the total communication complexity,except of course for the bits needed to send the secret when itis revealed. The proof of the hiding property exploits the equivalenceof the two definitions.Index terms -- Cryptology, Shannon theory, unconditional security,statistically hiding, multi-bit commitment, similarity of ensemblesof distributions, zero-knowledge, protocols.

Composability in quantum cryptography

In this article, we review several aspects of composability in the context of quantum cryptography. The first part is devoted to key distribution. We discuss the security criteria that a quantum key distribution protocol must fulfill to allow its safe use within a larger security application (e.g., for secure message transmission). To illustrate the practical use of composability, we show how to generate a continuous key stream by sequentially composing rounds of a quantum key distribution protocol. In a second part, we take a more general point of view, which is necessary for the study of cryptographic situations involving, for example, mutually distrustful parties. We explain the universal composability framework and state the composition theorem which guarantees that secure protocols can securely be composed to larger applicationsComment: 18 pages, 2 figure

Information-Theoretic Broadcast with Dishonest Majority for Long Messages

Byzantine broadcast is a fundamental primitive for secure computation. In a setting with $n$ parties in the presence of an adversary controlling at most $t$ parties, while a lot of progress in optimizing communication complexity has been made for $t < n/2$, little progress has been made for the general case $t<n$, especially for information-theoretic security. In particular, all information-theoretic secure broadcast protocols for $\ell$-bit messages and $t<n$ and optimal round complexity $\mathcal{O}(n)$ have, so far, required a communication complexity of $\mathcal{O}(\ell n^2)$. A broadcast extension protocol allows a long message to be broadcast more efficiently using a small number of single-bit broadcasts. Through broadcast extension, so far, the best achievable round complexity for $t<n$ setting with the optimal communication complexity of $\mathcal{O}(\ell n)$ is $\mathcal{O}(n^4)$ rounds. In this work, we construct a new broadcast extension protocol for $t<n$ with information-theoretic security. Our protocol improves the round complexity to $\mathcal{O}(n^3)$ while maintaining the optimal communication complexity for long messages. Our result shortens the gap between the information-theoretic setting and the computational setting, and between the optimal communication protocol and the optimal round protocol in the information-theoretic setting for $t<n$

A taxonomy of single sign-on systems

Abstract. At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction. Several architectures for SSO have been developed, each with different properties and underlying infrastructures. This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context. This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches.