Papers by Hong-Sheng Zhou
ABSTRACT We study efficient protocol constructions against adaptive corruption in the universal c... more ABSTRACT We study efficient protocol constructions against adaptive corruption in the universal composition framework. For standard cryptographic tasks, we propose a new framework to design efficiently two-party secure function evaluation protocols, and then apply it to oblivious transfer and obtain the first practical such constructions. Regarding reactive cryptographic tasks, we present a framework for designing blind signatures, and construct the first practical protocols for this task.
Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science - ITCS '16, 2016
Lecture Notes in Computer Science, 2006
We present a blind signature scheme that is efficient and provably secure without random oracles ... more We present a blind signature scheme that is efficient and provably secure without random oracles under concurrent attacks utilizing only four moves of short communication. The scheme is based on elliptic curve groups for which a bilinear map exists and on extractable and equivocable commitments. The unforgeability of the employed signature scheme is guaranteed by the LRSW assumption while the blindness property of our scheme is guaranteed by the Decisional Linear Diffie-Hellman assumption.
Lecture Notes in Computer Science, 2007
Adaptive security, while more realistic as an adversarial model, is typically much harder to achi... more Adaptive security, while more realistic as an adversarial model, is typically much harder to achieve compared to static security in cryptographic protocol design. Universal composition (UC) provides a very attractive framework for the modular design of cryptographic protocols that captures both static and adaptive security formulations. In the UC framework, one can design protocols in hybrid worlds that allow access to idealized functionalities and then apply the universal composition theorem to obtain more concrete protocol instances. The zero-knowledge (ZK) ideal functionality is one of the most useful sub-protocols in modular cryptographic design. Given an adaptively secure protocol in the ideal ZK-hybrid-world do we always need an adaptively secure realization of the ZK functionality in order to preserve adaptive security under composition? In this work, perhaps surprisingly, we find that this is not so and in fact there are useful protocol instances that we can "trade static security for adaptive security." We investigate the above setting, by introducing a weakened ZK ideal functionality, called the ideal leaking-zero-knowledge functionality (LZK) that leaks some information about the witness to the adversary in a certain prescribed way. We show that while LZK is interchangeable to ZK against static adversaries, ZK is more stringent when adaptive adversaries are considered. We then proceed to characterize a class of protocols in the hybrid-ZK-world that can be "transported" to the LZK-hybridworld without forfeiting their security against adaptive adversaries. Our results demonstrate that in such settings a static protocol realization of ZK is sufficient for ensuring adaptive security for the parent hybrid protocol something that enables simplified and substantially more efficient UC realizations of such protocols.
Lecture Notes in Computer Science, 2008
We study the design of practical blind signatures in the universal composability (UC) setting aga... more We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where a simulator can construct the internal state of the client so that it matches a simulated transcript even after a signature was released. We present a general construction methodology for building practical adaptively secure blind signatures: the starting point is a 2-move "lite blind signature", a lightweight 2-party signature protocol that we formalize and implement both generically as well as number theoretically: formalizing a primitive as "lite" means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zero-knowledge (ZK) related security requirements from the remaining security properties in the primitive's design methodology. We then focus on the exact ZK requirements for building blind signatures. To this effect, we formalize two special ZK ideal functionalities, single-verifier-ZK (SVZK) and single-prover-ZK (SPZK) and we investigate the requirements for realizing them in a commit-and-prove fashion as building blocks for adaptively secure UC blind signatures. SVZK can be realized without relying on a multi-session UC commitment; as a result, we realize SVZK in a very efficient manner using number theoretic mixed commitments while employing a constant size common reference string and without the need to satisfy non-malleability. Regarding SPZK we find the rather surprising result that realizing it only for static adversaries is sufficient to obtain adaptive security for UC blind signatures. This important observation simplifies blind signature design substantially as one can realize SPZK very efficiently in a commit-and-prove fashion using merely an extractable commitment.
Lecture Notes in Computer Science, 2009
Consider a center possessing a trusted (tamper proof) device that wishes to securely compute a pu... more Consider a center possessing a trusted (tamper proof) device that wishes to securely compute a public function over private inputs that are contributed by some network nodes. In network scenarios that support direct communication of nodes with the center, the computation can be done by the nodes encrypting their inputs under the device's public key and sending the ciphertexts to the center which, in turn, feeds them to the trusted device that computes the function. In many modern networking scenarios, however, the center and the contributing nodes are not directly connected/ connectable, in which case the discovery and collection of inputs can only be performed by an agent (or agents) released to the network by the center. This introduces a new set of issues for secure computation. In this work we consider an agent that is released, sweeps the network once and then returns to its origin. The direct solution, in this case, is for the agent to possess a certified public key of the trusted device and for the nodes to contribute their inputs as ciphertexts under this key; once the agent collects all inputs it reconnects with the center for function computation. The above single-sweep simple collection requires the agent to store a linear number of ciphertexts. The goal of this work is to formalize and solve the above problem for a general set of functions by an agent that employs sub-linear storage while maintaining input privacy (an important technical requirement akin of that of "Private Information Retrieval" protocols).
Lecture Notes in Computer Science, 2009
Research partly supported by NSF CAREER Award CNS-0447808.
Lecture Notes in Computer Science, 2013
Lecture Notes in Computer Science, 2014
Lecture Notes in Computer Science, 2012
Yao's garbled-circuit approach enables constant-round secure two-party computation for any boolea... more Yao's garbled-circuit approach enables constant-round secure two-party computation for any boolean circuit. In Yao's original construction, each gate in the circuit requires the parties to perform a constant number of encryptions/decryptions, and to send/receive a constant number of ciphertexts. Kolesnikov and Schneider (ICALP 2008) proposed an improvement that allows XOR gates in the circuit to be evaluated "for free", i.e., incurring no cryptographic operations and zero communication. Their "free-XOR" technique has proven very popular, and has been shown to improve performance of garbled-circuit protocols by up to a factor of 4.
Proceedings of the 30th annual ACM SIGACT-SIGOPS symposium on Principles of distributed computing - PODC '11, 2011
We consider the classical problem of synchronous broadcast with dishonest majority, when a public... more We consider the classical problem of synchronous broadcast with dishonest majority, when a public-key infrastructure and digital signatures are available. In a surprising result, Hirt and Zikas (Eurocrypt 2010) recently observed that all existing protocols for this task are insecure against an adaptive adversary who can choose which parties to corrupt as the protocol progresses. Moreover, they prove an impossibility result for adaptively secure broadcast in their setting.
2010 23rd IEEE Computer Security Foundations Symposium, 2010
Nowadays it is widely accepted to formulate the security of a protocol carrying out a given task ... more Nowadays it is widely accepted to formulate the security of a protocol carrying out a given task via the "trusted-party paradigm," where the protocol execution is compared with an ideal process where the outputs are computed by a trusted party that sees all the inputs. A protocol is said to securely carry out a given task if running the protocol with a realistic adversary amounts to "emulating" the ideal process with the appropriate trusted party. In the Universal Composability (UC) framework the program run by the trusted party is called an ideal functionality. While this simulation-based security formulation provides strong security guarantees, its usefulness is contingent on the properties and correct specification of the ideal functionality, which, as demonstrated in recent years by the coexistence of complex, multiple functionalities for the same task as well as by their "unstable" nature, does not seem to be an easy task.
IET Information Security, 2009
This paper introduces Hidden Identity-based Signatures (Hidden-IBS), a type of digital signatures... more This paper introduces Hidden Identity-based Signatures (Hidden-IBS), a type of digital signatures that provide mediated signer-anonymity on top of Shamir's Identity-based signatures. The motivation of our new signature primitive is to resolve an important issue with the kind of anonymity offered by "group signatures" where it is required that either the group membership list is public or that the opening authority is dependent on the group manager for its operation. Contrary to this, Hidden-IBS do not require the maintenance of a group membership list and they enable an opening authority that is totally independent of the group manager. As we argue this makes Hidden-IBS much more attractive than group signatures for a number of applications. In this paper, we provide a formal model of Hidden-IBS as well as two efficient constructions that realize the new primitive. Our elliptic curve construction that is based on the SDH/DLDH assumptions produces signatures that are merely half a Kbyte long and can be implemented very efficiently.
IACR ePrint Archive, 2008
Nowadays it is widely accepted to formulate the security of a protocol carrying out a given task ... more Nowadays it is widely accepted to formulate the security of a protocol carrying out a given task via the "trusted-party paradigm," where the protocol execution is compared with an ideal process where the outputs are computed by a trusted party that sees all the inputs. A protocol is said to securely carry out a given task if running the protocol with a realistic adversary amounts to "emulating" the ideal process with the appropriate trusted party. In the Universal Composability (UC) framework the program run by the trusted party is called an ideal functionality. While this simulation-based security formulation provides strong security guarantees, its usefulness is contingent on the properties and correct specification of the ideal functionality, which, as demonstrated in recent years by the coexistence of complex, multiple functionalities for the same task as well as by their "unstable" nature, does not seem to be an easy task.
Lecture Notes in Computer Science, 2016
Lecture Notes in Computer Science, 2016
International Crytology Conference, 2000
Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corr... more Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties on the fly as the computation proceeds, has been an elusive task. Indeed, thus far no efficient protocols achieve adaptive security for general multi-party computation, or even for many specific two-party tasks such as obliv- ious transfer (OT). In fact, it is difficult and expensive to achieve
Lecture Notes in Computer Science, 2015
Uploads
Papers by Hong-Sheng Zhou