[Busec] BUsec this week: Abhishek Jain. (**Wed*** 10am)

Sharon Goldberg goldbe at cs.bu.edu
Tue Feb 19 18:27:35 EST 2013

Hi all,

We'll be starting our seminar up again next week, but due to the long
weekend, the talk will be tomorrow, rather than our usual
Monday 10am. Abhishek Jain will tell us about leakage and concurrent
composition this Wed at 10am in MCS148.  With lunch, as usual.

The following Monday at 10AM, Adam O'Neill will be talking enhanced
chosen-ciphertext security. (Please disregard the abstract for Adam's
talk in my last email; this email has the correct abstract).

Finally, note that the abstract deadline for Boston Freedom in
Online Communications Day (BFOC'13) is this Thursday Feb 21!



BUsec Calendar:  http://www.bu.edu/cs/busec/
BUsec Mailing list:  http://cs-mailman.bu.edu/mailman/listinfo/busec
How to get to BU from MIT:  Try the CT2 bus or MIT's "Boston Daytime
Shuttle" http://web.mit.edu/facilities/transportation/shuttles/daytime_boston.html


Title: What Information is Leaked under Concurrent Composition?
Speaker: Abhishek Jain. BU/MIT.
Date: Wed Feb 20, 10AM, MCS148

Abstract: Achieving security under concurrent composition is
 notoriously hard. Indeed, in the plain model, far reaching
 impossibility results for concurrently secure computation are known.
 On the other hand, some positive results have also been obtained
 according to various weaker notions of security (such as by using a
 super-polynomial time simulator). This suggest that somehow, "not all
 is lost in the concurrent setting". Yet, our understanding of what
 exactly is it that goes wrong in the concurrent setting, and, to what
 extent is currently quite unsatisfactory.

In this work, we ask what and exactly how much private information can
 the adversary learn by launching a concurrent attack? "Can he learn
 all the private inputs in all the sessions? Or, can we preserve the
 security of some (or even most) of the sessions fully while
 compromising (a small fraction of) other sessions? Or is it the case
 that the security of all (or most) sessions is (at least partially)
 compromised? If so, can we restrict him to learn an arbitrarily small
 fraction of input in each session?".  We believe the above questions
 to be fundamental to the understanding of concurrent composition.

Towards that end, we take a knowledge-complexity based approach
 (Goldreich-Petrank, STOC'91) to concurrently secure computation by
 allowing the ideal world adversary (a.k.a simulator) to query the
 trusted party for some leakage on the honest party inputs. We obtain
 both positive and negative results, depending upon the nature of the
 leakage queries available to the simulator. Informally speaking, our
 results imply the following: in the concurrent setting, "significant
 loss" of security (translating to high leakage in the ideal world) in
 some of the sessions is unavoidable. However on the brighter side, one
 can make the fraction of such sessions to be an arbitrarily small
 polynomial (while fully preserving the security in all other
 sessions). Our results also have an interesting implication on secure
 computation in the bounded concurrent setting: we show there exist
 protocols which are secure as per the standard ideal/real world notion
 in the bounded concurrent setting. However if the actual number of
 sessions happen to exceed the bound, there is "graceful degradation"
 of security (as the number of sessions increase).

In order to obtain our positive result, we take a "cost-based"
 approach to rewinding in the current setting. In particular, we model
 concurrent rewinding as a set-covering problem and develop what we
 call "sparse rewinding strategies", which yield to other applications
 as well, including improved constructions of precise concurrent

 Joint work with Vipul Goyal and Divya Gupta.

Title: Enhanced Chosen-Ciphertext Security and Applications
Speaker: Adam ONeill. BU.
Date: Monday Feb 25, 10AM, MCS137

Recently, there has been interest in randomness-recovering public-key
encryption (RR-PKE) (see, e.g., Peikert and Waters, STOC'08), where a
receiver efficiently recovers not only the message but also the
*random coins* of a sender.  We contend that for applications of
RR-PKE, the standard definition of chosen-ciphertext security (CCA)
should be amended so that the adversary gets access not only to a
decryption oracle but also a *randomness recovery* oracle, a new
notion we call enhanced chosen-ciphertext (ECCA) security.

We show that ECCA-secure RR-PKE can be constructed from adaptive
trapdoor functions (ATDFs), as defined and realized by Kiltz et al.
(EUROCRYPT 2010).  Previously, Kiltz et al. showed how to construct
standard CCA-secure PKE from ATDFs, but their construction turns out
to be insufficient for ECCA security.  Our construction crucially uses
the notion of *detectable* CCA security, recently introduced by
Hohenberger et al. (EUROCRYPT '12).  In fact, we show that a form of
ECCA-secure RR-PKE is *equivalent* both to ATDFs and to an extension
called tag-based ATDFs, meaning that ATDFs and tag-based ATDFs are
themselves equivalent, resolving an open question of Kiltz et al.

We then show that ECCA-secure RR-PKE can be used to securely realize
an approach to public-key encryption with non-interactive opening
(PKENO) originally suggested by Damg{\aa}rd and Thorbek (EUROCRYPT
2007).  PKENO, which allows a receiver to non-interactively prove that
a ciphertext decrypts to a claimed message, has widespread
applications to secure multiparty computation. We obtain new and
practical PKENO schemes quite different from those in prior work.

Joint work with Dana Dachman-Soled, Georg Fuchsbauer, and Payman Mohassel.

More information about the Busec mailing list