An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

Traitor Tracing with constant transmission rate

The goal of secure multiparty computation is to transform a given protocol involving a trusted party into a protocol without need for the trusted party, by simulating the party among the players. Indeed, by the same means, one can simulate an arbitrary player in any given protocol. We formally define what it means to simulate a player by a multiparty protocol among a set of (new) players, and we derive the resilience of the new protocol as a function of the resiliences of the original protocol and the protocol used for the simulation.

In contrast to all previous protocols that specify the tolerable adversaries by the number of corruptible players (a threshold), we consider general adversaries characterized by an adversary structure, a set of subsets of the player set, where the adversary may corrupt the players of one set in the structure. Recursively applying the simulation technique to standard threshold multiparty protocols results in protocols secure against general adversaries.

The classical results in unconditional multiparty computation among a set of n players state that, in the passive model, any adversary that corrupts less than n/2 players can be tolerated, and in the active model, any adversary that corrupts less than n/3 players can be tolerated. Strictly generalizing these results we prove that, in the passive model, every function (more generally, every cooperation specified by involving a trusted party) can be computed securely with respect to a given adversary structure if and only if no two sets in the adversary structure cover the full set of players, and, in the active model, if and only if no three sets cover the full set of players. The complexities of the protocols are polynomial in the number of maximal adverse player sets in the adversary structure.

/pdf/player-simulation-and-general-adversary-structures-in-pqrdzva9mf.pdf

Player Simulation and General Adversary Structures in Perfect Multiparty Computation

The concept of trust and/or trust management has received considerable attention in engineering research communities as trust is perceived as the basis for decision making in many contexts and the motivation for maintaining long-term relationships based on cooperation and collaboration Even if substantial research effort has been dedicated to addressing trust-based mechanisms or trust metrics (or computation) in diverse contexts, prior work has not clearly solved the issue of how to model and quantify trust with sufficient detail and context-based adequateness The issue of trust quantification has become more complicated as we have the need to derive trust from complex, composite networks that may involve four distinct layers of communication protocols, information exchange, social interactions, and cognitive motivations In addition, the diverse application domains require different aspects of trust for decision making such as emotional, logical, and relational trust This survey aims to outline the foundations of trust models for applications in these contexts in terms of the concept of trust, trust assessment, trust constructs, trust scales, trust properties, trust formulation, and applications of trust We discuss how different components of trust can be mapped to different layers of a complex, composite network; applicability of trust metrics and models; research challenges; and future work directions

https://dl.acm.org/doi/pdf/10.1145/2815595

A Survey on Trust Modeling

We present the first general protocol for secure multiparty computation in which the totalamount of work required by nplayers to compute a function fgrows only polylogarithmically with n(ignoring an additive term that depends on nbut not on the complexity of f). Moreover, the protocol is also nearly optimal in terms of resilience, providing computational security against an active, adaptive adversary corrupting a (1/2 i¾? i¾?) fraction of the players, for an arbitrary i¾?> 0.

/pdf/scalable-multiparty-computation-with-nearly-optimal-work-and-2k331aszaz.pdf

Scalable Multiparty Computation with Nearly Optimal Work and Resilience

Blockchain is a distributed database which is cryptographically protected against malicious modifications. While promising for a wide range of applications, current blockchain platforms rely on digital signatures, which are vulnerable to attacks by means of quantum computers. The same, albeit to a lesser extent, applies to cryptographic hash functions that are used in preparing new blocks, so parties with access to quantum computation would have unfair advantage in procuring mining rewards. Here we propose a possible solution to the quantum era blockchain challenge and report an experimental realization of a quantum-safe blockchain platform that utilizes quantum key distribution across an urban fiber network for information-theoretically secure authentication. These results address important questions about realizability and scalability of quantum-safe blockchains for commercial and governmental applications.

Quantum-secured blockchain

Perfectly secure message transmission (PSMT), a problem formulated by Dolev, Dwork, Waarts and Yung, involves a sender S and a recipient R who are connected by n synchronous channels of which up to t may be corrupted by an active adversary. The goal is to transmit, with perfect security, a message from S to R. PSMT is achievable if and only if n > 2t.

For the case n >2t, the lower bound on the number of communication rounds between S and R required for PSMT is 2, and the only known efficient (i.e., polynomial in n) two-round protocol involves a communication complexity ofO(n3l) bits, wherel is the lengthof themessage. A recent solution by Agarwal, Cramer and de Haan is provably communication-optimal by achieving an asymptotic communication complexity of O(nl) bits; however, it requires the messages to be exponentially large, i.e., l=ω(2n).

In this paper we present an efficient communication-optimal tworound PSMT protocol for messages of length polynomial in n that is almost optimally resilient in that it requires a number of channels n ≥ (2 + ɛ)t, for any arbitrarily small constant ɛ > 0. In this case, optimal communication complexity is O(l) bits.

/pdf/towards-optimal-and-efficient-perfectly-secure-message-1h9z395526.pdf

Towards optimal and efficient perfectly secure message transmission

It is well-known that n players, connected only by pairwise secure channels, can achieve Byzantine agreement only if the number t of cheaters satisfies t

/pdf/detectable-byzantine-agreement-secure-against-faulty-2wpmopbc0h.pdf

Detectable byzantine agreement secure against faulty majorities

We consider a generalized adversary model for unconditionally secure multi-party computation. The adversary can actively corrupt (i.e. take full control over) a subset D ⊆ P of the players, and, additionally, can passively corrupt (i.e. read the entire information of) another subset E ⊆ P of the players. The adversary is characterized by a generalized adversary structure, i.e. a set of pairs (D,E), where he may select one arbitrary pair from the structure and corrupt the players accordingly. This generalizes the classical threshold results of Ben-Or, Goldwasser and Wigderson, Chaum, Crepeau, and Damgard, and Rabin and Ben-Or, and the non-threshold results of Hirt and Maurer.

/pdf/general-adversaries-in-unconditional-multi-party-computation-4refnft23z.pdf

General Adversaries in Unconditional Multi-party Computation

We consider a generalized adversary model for unconditionally secure multi-party computation The adversary can actively corrupt (ie take full control over) a subset D C P of the players, and, additionally, can passively corrupt (ie read the entire information of) another subset E ⊆ P of the players The adversary is characterized by a generalized adversary structure, ie a set of pairs (D,E), where he may select one arbitrary pair from the structure and corrupt the players accordingly This generalizes the classical threshold results of Ben-Or, Goldwasser and Wigderson, Chaum, Crepeau, and Damgard, and Rabin and Ben-Or, and the non-threshold results of Hirt and Maurer The generalizations and improvements on the results of Hirt and Maurer are three-fold: First, we generalize their model by considering mixed (active and passive) non-threshold adversaries and characterize completely the adversary structures for which unconditionally secure multi-party computation is possible, for four different models: Perfect security with and without broadcast, and unconditional security (with negligible error probability) with and without broadcast All bounds are tight Second, some of their protocols have complexity super-polynomial in the size of the adversary structure; we reduce the complexity to polynomial Third, we prove the existence of adversary structures for which no polynomial (in the number of players) protocols exist The following two implications illustrate the usefulness of these results: The most powerful adversary that is unconditionally tolerated by previous protocols among three players is the one that passively corrupts one arbitrary player; using our protocols one can unconditionally tolerate an adversary that either passively corrupts the first player, or actively corrupts the second or the third player Moreover, in a setting with arbitrarily many cheating players who want to compute an agreed function with the help of a trusted party, we can relax the trust requirement into this helping party: Without support from the cheating players the helping party obtains no information about the honest players' inputs and outputs

General adversaries in unconditional multi-party computation

Byzantine agreement is typically considered with respect to either a fully synchronous network or a fully asynchronous one. In the synchronous case, t + 1 communication rounds are necessary for deterministic protocols whereas all known probabilistic protocols require an expected large number of rounds. In this paper we examine the question of how many initial synchronous rounds are required for Byzantine agreement in the worst case if we allow to switch to asynchronous operation afterward. Let n = h + t be the number of parties where h are honest and t are corrupted. As the main result we show that, in the model with a public-key infrastructure and signatures (aka authenticated Byzantine agreement), d + O(1) deterministic synchronous rounds are sufficient where d is the minimal integer such that n - d > 3(t - d). This improves over the t + 1 necessary deterministic rounds for almost all cases, and over the exact expected number of rounds in the nondeterministic case for many cases.

Matthias Fitzi

Papers

Towards optimal and efficient perfectly secure message transmission

Detectable byzantine agreement secure against faulty majorities

General Adversaries in Unconditional Multi-party Computation

General adversaries in unconditional multi-party computation

On the number of synchronous rounds sufficient for authenticated byzantine agreement