Ran Canetti Scribe : Dah - Yoh
ثبت نشده
چکیده
1 Recap Last lecture we started to look at how we could realize any two-party functionality for any number of faults in the F CRS-hybrid model. In this lecture we will finish this discussion and extend it to the multi-party case. We will also note that we can get rid of the CRS in the case of an honest majority. All the material in this lecture is taken from [CLOS02]. In more detail, we follow the [GMW87] paradigm of first constructing a protocol secure against semi-honest adversaries (i.e., even the corrupted parties follow the protocol specification), then constructing a general compiler that transforms protocols secure against semi-honest adversaries to " equivalent " protocols secure against Byzantine adversaries. In the previous lecture we presented the ideal oblivious transfer functionality, F OT. In this lecture we will show how to realize F OT for semi-honest adversaries in the plain model, and show how to realize any functionality in the F OT-hybrid model. Recall that there are two natural variants of the semi-honest adversarial model. In the first variant the adversaries can change the inputs of the corrupted parties, but are otherwise passive. In the second variant the environment talks directly with the parties, and the adversaries only listen (cannot even change the inputs). These variants are incomparable, because there are protocols secure under one model but insecure under the other. We will actually need the first variant for the compiler, but the protocol we are going to see shortly is secure under both variants. Recall that in lecture 8 we defined " standard functionalities " as the functionalities which do not utilize their direct knowledge of the identities of the corrupt parties. Specifically, it consists of an " outer shell " and a " core ". The core is an arbitrary probabilistic polynomial-time algorithm, while the shell is a simple interfacing procedure described as follows. The shell forwards any incoming messages to the core, with the exception that notifications of corruptions of parties are not forwarded to the core. Outgoing messages generated by the core are copied by the shell to the subroutine output tape of the recipient. On top of these, S is allowed to delay the receiving of inputs and sending of outputs: the shell actually notifies S about its intentions, and only carries on to do so when S OKs it. In handling corruptions the shell hands an output …
منابع مشابه
Ran Canetti Scribe : Dah - Yoh
1 Recap Last lecture we started to look at how we could realize any two-party functionality for any number of faults in the F CRS-hybrid model. In this lecture we will finish this discussion and extend it to the multi-party case. We will also note that we can get rid of the CRS in the case of an honest majority. All the material in this lecture is taken from [CLOS02]. In more detail, we follow ...
متن کاملCryptoBytes Volume 3 Number 1
(continued on page 3) Ran Canetti and Rosario Gennaro are Research Staff Members at the IBM T.J. Watson Research Center. They can be contacted at [email protected] and [email protected], respectively. Amir Herzberg manages the Network Computing and Security Group at the IBM Haifa Research Lab (Tel-Aviv Annex), and Dalit Naor is a Research Staff Member there. They can be reached at ami...
متن کاملHow to Protect Yourself without Perfect Shredding
Erasing old data and keys is an important capability of honest parties in cryptographic protocols. It is useful in many settings, including proactive security in the presence of a mobile adversary, adaptive security in the presence of an adaptive adversary, forward security, and intrusion resilience. Some of these settings, such as achieving proactive security, is provably impossible without so...
متن کامل