[Busec] BUsec this week: Abhishek Jain. (**Wed*** 10am)

Sharon Goldberg goldbe at cs.bu.edu
Sun Feb 17 22:22:49 EST 2013

Hi all,

We'll be starting our seminar up again next week, but due to the long
weekend, the talk will be on **Wednesday**, rather than our usual
Monday 10am. Abhishek Jain will tell us about leakage and concurrent
composition this Wed at 10am.  With lunch, as usual.

The following Monday at 10AM, Adam O'Neill will be talking about
bi-deniable public key cryptosystems.

Also another reminder to submit your abstracts to Boston Freedom in
Online Communications Day (BFOC'13) by this Thursday Feb 21!



BUsec Calendar:  http://www.bu.edu/cs/busec/
BUsec Mailing list:  http://cs-mailman.bu.edu/mailman/listinfo/busec
How to get to BU from MIT:  Try the CT2 bus or MIT's "Boston Daytime
Shuttle" http://web.mit.edu/facilities/transportation/shuttles/daytime_boston.html


Title: What Information is Leaked under Concurrent Composition?
Speaker: Abhishek Jain. BU/MIT.
Date: Wed Feb 20, 10AM, MCS137

Abstract: Achieving security under concurrent composition is
 notoriously hard. Indeed, in the plain model, far reaching
 impossibility results for concurrently secure computation are known.
 On the other hand, some positive results have also been obtained
 according to various weaker notions of security (such as by using a
 super-polynomial time simulator). This suggest that somehow, "not all
 is lost in the concurrent setting". Yet, our understanding of what
 exactly is it that goes wrong in the concurrent setting, and, to what
 extent is currently quite unsatisfactory.

In this work, we ask what and exactly how much private information can
 the adversary learn by launching a concurrent attack? "Can he learn
 all the private inputs in all the sessions? Or, can we preserve the
 security of some (or even most) of the sessions fully while
 compromising (a small fraction of) other sessions? Or is it the case
 that the security of all (or most) sessions is (at least partially)
 compromised? If so, can we restrict him to learn an arbitrarily small
 fraction of input in each session?".  We believe the above questions
 to be fundamental to the understanding of concurrent composition.

Towards that end, we take a knowledge-complexity based approach
 (Goldreich-Petrank, STOC'91) to concurrently secure computation by
 allowing the ideal world adversary (a.k.a simulator) to query the
 trusted party for some leakage on the honest party inputs. We obtain
 both positive and negative results, depending upon the nature of the
 leakage queries available to the simulator. Informally speaking, our
 results imply the following: in the concurrent setting, "significant
 loss" of security (translating to high leakage in the ideal world) in
 some of the sessions is unavoidable. However on the brighter side, one
 can make the fraction of such sessions to be an arbitrarily small
 polynomial (while fully preserving the security in all other
 sessions). Our results also have an interesting implication on secure
 computation in the bounded concurrent setting: we show there exist
 protocols which are secure as per the standard ideal/real world notion
 in the bounded concurrent setting. However if the actual number of
 sessions happen to exceed the bound, there is "graceful degradation"
 of security (as the number of sessions increase).

In order to obtain our positive result, we take a "cost-based"
 approach to rewinding in the current setting. In particular, we model
 concurrent rewinding as a set-covering problem and develop what we
 call "sparse rewinding strategies", which yield to other applications
 as well, including improved constructions of precise concurrent

 Joint work with Vipul Goyal and Divya Gupta.

Title: TBA.
Speaker: Adam ONeill. BU.
Date: Monday Feb 25, 10AM, MCS137

In CRYPTO 1997, Canetti et. al put forward the intruiging notion of
{deniable encryption}, which (informally) allows a sender and/or
receiver, having already performed some encrypted communication, to
produce `fake' (but legitimate-looking) random coins that open the
ciphertext to another message. Deniability is a powerful notion for
both practice and theory: apart from its inherent utility for
resisting coercion, a deniable scheme is also noncommitting (a useful
property in constructing adaptively secure protocols) and secure under
selective-opening attacks on whichever parties can equivocate. To
date, however, known constructions have achieved only limited forms of
deniability, requiring at least one party to withhold its randomness,
and in some cases using an interactive protocol or external parties.

In this work we construct {bi-deniable} public-key cryptosystems, in
which both the sender and receiver can simultaneously equivocate; we
stress that the schemes are noninteractive and involve no third
parties. One of our systems is based generically on ``simulatable
encryption'' as defined by Damg{\aa}rd and Nielsen (CRYPTO 2000),
while the other is lattice-based and builds upon the results of
Gentry, Peikert and Vaikuntanathan (STOC 2008) with techniques that
may be of independent interest. Both schemes work in the so-called
``multi-distributional'' model, in which the parties run alternative
key-generation and encryption algorithms for equivocable
communication, but claim under coercion to have run the prescribed
algorithms. Although multi-distributional deniability has not
attracted much attention, we argue that it is meaningful and useful
because it provides credible coercion resistance in certain settings,
and suffices for all of the related properties mentioned above.

More information about the Busec mailing list