tag:www.cs.virginia.edu,2007-07-25:/~shelat/research//1 2009-11-13T19:36:04Z Movable Type 4.21-en tag:www.cs.virginia.edu,2009:/~shelat/research//1.28 2009-08-04T14:12:43Z 2009-11-13T19:36:04Z

Proceedings version: [pdf]
]]>
Our construction is black-box, and thus requires novel techniques to avoid known impossibility results concerning trapdoor predicates [GMR01].  To the best of our knowledge, our work is also the first example of  a non-shielding reduction (introduced in [GMM07]) in the standard (i.e., not random-oracle) model.

]]> tag:www.cs.virginia.edu,2009:/~shelat/research//1.27 2009-05-15T16:07:39Z 2009-05-15T16:47:19Z

CRYPTO 2009. Santa Barbara, CA.

]]> parties running the protocol. In the standard communication model (and assuming the existence of one-way functions), protocols satisfying any reasonable degree of privacy cannot be collusion-free. To circumvent this impossibility result, Alwen et al.\ (CRYPTO 2008) recently suggested the \emph{mediated model} where all communication passes through a mediator; the goal is to design protocols where collusion-freeness is guaranteed as long as the mediator is honest, while standard security guarantees hold if the mediator is dishonest. In this model, they gave constructions of collusion-free protocols for commitments and zero-knowledge proofs in the two-party setting.

We strengthen the definition of Alwen et al., and resolve the main open questions in this area by showing a collusion-free protocol (in the mediated model) for computing any multi-party functionality.

]]> tag:www.cs.virginia.edu,2009:/~shelat/research//1.26 2009-05-15T16:03:18Z 2009-05-15T16:46:13Z

Silvio Micalli and abhi shelat.Theory of Cryptography Conference (TCC) 2009....

Theory of Cryptography Conference (TCC) 2009.

]]> After providing a more complete definition of this problem, we exhibit a very efficient and  purely rational solution to it.  Our solution works in the verifiable trusted third party model.
]]> tag:www.cs.virginia.edu,2008:/~shelat/research//1.22 2008-08-29T12:40:49Z 2008-08-29T12:45:10Z

Jan Camenisch, Rafik Chaabouni, and abhi shelatTo Appear in ASIACRYPT 2008...

To Appear in ASIACRYPT 2008

]]> We consider the following problem: Given a commitment to
a value σ, prove in zero-knowledge that σ belongs to some discrete set
Φ. The set Φ can perhaps be a list of cities or clubs; often Φ can be a
numerical range such as [1, 220 ]. This problem arises in e-cash systems,
anonymous credential systems, and various other practical uses of zero-
knowledge protocols.

When using commitment schemes relying on RSA-like assumptions, there
are solutions to this problem which require only a constant number
of RSA-group elements to be exchanged between the prover and verifier
[Bou00,Lip03,Gro05]. However, for many commitment schemes based
on bilinear group assumptions, these techniques do not work, and the
best known protocols require O(k) group elements to be exchanged.
In this paper, we present two new approaches to building set-membership
proofs. The first is based on bilinear group assumptions. When ap-
plied to the case where Φ is a range of integers, our protocols require
O( k / log k - log log k ) group elements to be exchanged. Not only is this result
asymptotically better, but the constants are small enough to provide
significant improvements even for small ranges. Indeed, in a pure discrete
logarithm based setting, our new protocol is by an order of magnitude
more efficient than previously known ones. We also discuss alternative
implementations of our membership proof based on the strong RSA
assumption. Depending on the application, e.g., when Φ is a published set
of values such a frequent flyer clubs, cities, or other adhoc collections,
these alternative also outperform prior solutions.


]]> tag:www.cs.virginia.edu,2008:/~shelat/research//1.21 2008-08-29T12:33:29Z 2008-08-29T12:46:01Z

Joel Alwen, abhi shelat, and Ivan ViscontiCRYPTO 2008...

CRYPTO 2008
]]> Prior approaches [15, 14] to building collusion-free protocols
require exotic channels. By taking a conceptually new approach, we are
able to use a more digitally-friendly communication channel to construct
protocols that achieve a stronger collusion-free property.

We consider a communication channel which can filter and rerandomize
message traffic. We then provide a new security definition that captures
collusion-freeness in this new setting; our new setting even allows for the
mediator to be corrupted in which case the security gracefully fails to
providing standard privacy and correctness. This stronger notion makes
the property useful in more settings.

To illustrate feasibility, we construct a commitment scheme and a zero-
knowledge proof of knowledge that meet our definition in its two variations.

[pdf]
 

]]> tag:www.cs.virginia.edu,2007:/~shelat/research//1.18 2007-08-29T22:26:43Z 2008-08-29T12:44:23Z

Rafael Pass, abhi shelat, and Vinod Vaikuntanathan.ASIACRYPT'07, December 2007, Kuching, Malaysia....

ASIACRYPT'07, December 2007, Kuching, Malaysia.
]]>
]]> tag:www.cs.virginia.edu,2007:/~shelat/research//1.17 2007-08-29T22:19:02Z 2007-08-29T22:38:54Z

To appear in ASIACRYPT'07, December 2007, Kuching, Malaysia.

This paper is a merger of three papers: one by Cramer, Hofheinz, and Kiltz, one by Hanaoka and Imai, and one by Pass, shelat, and Vaikuntanathan.
]]> Whereas encryption schemes withstanding only passive chosen-plaintext attacks (CPA) can be constructed based on a variety of computational assumptions, only a few assumptions are known to imply the existence of  encryption schemes withstanding adaptive chosen-ciphertext attacks (CCA2). Towards addressing this asymmetry, we consider a weakening of the CCA2 model---bounded CCA2-security---wherein security needs only hold against adversaries that make an a-priori bounded number of queries to the decryption oracle.  Regarding this notion we show (without any further assumptions):

• For any polynomial $q$, a simple black-box construction of $q$-bounded IND-CCA2-secure encryption schemes, from any CPA secure encryption scheme. When instantiated with the DDH assumption, this construction additionally yields encryption schemes with very short ciphertexts.

• For any polynomial $q$, a (non-black box) construction of $q$-bounded NM-CCA2-secure encryption schemes, from any CPA secure encryption scheme. As far as we know, bounded-CCA2 non-malleability is the strongest notion of security known to be achievable assuming only the existence of CPA secure encryption schemes.
  

Finally, we show that non-malleability and indistinguishability are not equivalent under bounded CCA2 attacks
(in contrast to general CCA2 attacks).
]]> tag:www.cs.virginia.edu,2007:/~shelat/research//1.6 2007-07-25T20:34:22Z 2007-08-02T15:39:51Z

Ran Canetti, Rafael Pass, and abhi shelatTo appear in Foundations of Computer Science (FOCS'07), Providence, Rhode Island, October 2007....

To appear in Foundations of Computer Science (FOCS'07), Providence, Rhode Island, October 2007.
]]>
However, the reference string in the CRS model must be guaranteed to be sampled from a precisely specified distribution; indeed, current security analyses typically fail when the distribution is changed even slightly. This fact rules out a large class of potential implementations of the CRS model such as measurements of physical phenomena (like sunspots), or alternatively using random sources that might be adversarially influenced.

Are there protocols that guarantee composable security even when the
reference string is taken from an ``imperfect'', or ``adversarially
controlled'' distribution?

The answer turns out to be surprisingly intricate.
We first show that impossibility results for composable secure computation in the plain model extend to this relaxed version of the CRS model, as long as the only guarantee on the reference  string is that it is taken from a distribution of some minimal min-entropy; here ``minimal'' is as high as full entropy minus any polynomially vanishing fraction.  Impossibility holds even when the reference string is taken from an  algorithmically samplable distribution, whose code is known to the adversary, as long as the sampling algorithm is allowed to run for sub-exponential time.  

Finally we show how to regain general feasibility of universally composable secure computation in this model, as long as the sampling algorithm is efficient, and known to the adversary. The construction and analysis make essential use of the technique of Barak's non black-box zero-knowledge protocol (FOCS 2001).
]]> tag:www.cs.virginia.edu,2007:/~shelat/research//1.5 2007-07-25T20:09:02Z 2007-08-02T15:36:36Z

Christian Cachin, abhi shelat, and Alex ShraerPrinciples of Distributed Computing (PODC'07), Portland, Oregan, Aug 2007....

Principles of Distributed Computing (PODC'07), Portland, Oregan, Aug 2007.
]]> When data is stored on a faulty server that is accessed concurrently by multiple clients, the server may present inconsistent data to different clients. For example, the server might complete a write operation of one client, but respond with stale data to another client. Mazi\`{e}res and Shasha (PODC 2002) introduced the notion of {fork-consistency, also called fork-linearizability, which ensures that the operations seen by every client are linearizable and guarantees that if the server causes the views of two clients to differ in a single operation, they may never again see each other's updates after that without the server being exposed as faulty. In this paper, we improve the communication complexity of their fork-linearizable storage access protocol with $n$ clients from $\Omega(n^2)$ to $O(n)$. We also prove that in every such protocol, a reader must wait for a concurrent writer. This explains a seeming limitation of their and of our improved protocol. Furthermore, we give novel characterizations of fork-linearizability and prove that it is neither stronger nor weaker than sequential consistency. tag:www.cs.virginia.edu,2007:/~shelat/research//1.4 2007-07-25T20:08:20Z 2007-08-02T15:34:36Z

Jan Camenisch, Gregory Neven, and abhi shelatEUROCRYPT 2007, Barcelona, Spain, May 2007. p.573-590....

EUROCRYPT 2007, Barcelona, Spain, May 2007. p.573-590. ]]>
We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes.

[PDF]

]]> tag:www.cs.virginia.edu,2007:/~shelat/research//1.3 2007-07-25T20:07:41Z 2007-08-02T15:31:54Z

Susan Hohenberger, Guy Rothblum, abhi shelat, and Vinod VaikuntanathanTheory of Cryptography Conference (TCC'07), Amsterdam, The Netherlands, Feb 2007, p. 233-252....

Theory of Cryptography Conference (TCC'07), Amsterdam, The Netherlands, Feb 2007, p. 233-252.]]>
Whereas other positive obfuscation results in the standard model apply to very simple point functions, our obfuscation result applies to the significantly more complicated and widely-used re-encryption functionality. This functionality takes a ciphertext for message $m$ encrypted under Alice's public key and transforms it into a ciphertext for the same message $m$ under Bob's public key.

[PDF]

]]> tag:www.cs.virginia.edu,2007:/~shelat/research//1.2 2007-07-25T20:05:54Z 2007-07-25T22:07:59Z

Rafael Pass, abhi shelat, and Vinod VaikuntanathanCRYPTO'06, Santa Barbara, CA, Aug 2006, p.271-289....

CRYPTO'06, Santa Barbara, CA, Aug 2006, p.271-289.
]]> non-malleability of encryptions is crucial. We show how to transform any semantically secure encryption scheme into one that is non-malleable for arbitrarily many messages.

[PDF]]]> tag:www.cs.virginia.edu,2005:/~shelat/research//1.7 2005-08-25T21:36:06Z 2007-07-25T22:10:19Z

Rafael pass and abhi shelat CRYPTO'05, Santa Barbara, CA, Aug 2005, p.118-134....

CRYPTO'05, Santa Barbara, CA, Aug 2005, p.118-134. ]]> Public Parameter
model and the Secret Parameter model.  In the former, a public string is ``ideally'' chosen according to some efficiently samplable distribution and made available to both the Prover and Verifier.  In the latter, the parties instead obtain correlated (possibly different) private strings.

To add further choice, the definition of zero-knowledge in these settings can either be non-adaptive or adaptive.
 
In this paper, we obtain several unconditional characterizations of computational, statistical and perfect NIZK for all combinations of these settings.  Specifically, we show:

In the secret parameter model, \nizk$=\,$\niszk$=\,$\nipzk$=\,$\am.

In the public parameter model,

• for the non-adaptive definition, \niszk $\subseteq$ \am $\cap$ \coam,
• for the adaptive one, it also holds that \niszk $\subset$ \bpp/1,
• for computational NIZK for ``hard'' languages, one-way functions are both necessary and sufficient.
  

From our last result, we arrive at the following unconditional characterization of computational NIZK in the public parameter model (which complements well-known results for interactive zero-knowledge):

• Either NIZK proofs exist only for ``easy'' languages (i.e., languages that are not hard-on-average), or theyexist for all of \am (i.e., all languages which admit non-interactive proofs).
  

[PDF]

]]> tag:www.cs.virginia.edu,2005:/~shelat/research//1.9 2005-07-25T21:43:39Z 2007-07-25T22:15:29Z

Matt Lepinski and Silvio Micali and abhi shelat Symposium on the Theory of Computation (STOC'05), Baltimore, MD, May 2005, p.543-552....

Symposium on the Theory of Computation (STOC'05), Baltimore, MD, May 2005, p.543-552. ]]> collude during run-time.  They do not, however, prevent malicious parties from colluding and coordinating their actions in the first place!

Eliminating such collusion of malicious parties during the execution of a protocol is an important and exciting direction for research in Cryptography.  We contribute the first general result in this direction:

1. We provide a rigorous definition of what a collusion-free protocol is; and
2. We prove that, under standard physical and computational assumptions ---i.e., plain envelopes and trapdoor permutations---collusion-free protocols exist for all finite protocol tasks with publicly observable actions.

(Note that such tasks are allowed to have secret global state, and thus include Poker, Bridge, and other such games.)

[PDF]]]> tag:www.cs.virginia.edu,2005:/~shelat/research//1.8 2005-07-25T21:42:31Z 2007-07-25T22:22:47Z

Moses Charikar, Eric Lehman, Ding Liu, Rina Panigrahy, Manoj Prabhakaran, Amit Sahai, abhi shelat IEEE Transactions on Information Theory, Vol. 51, Issue 7, Jul 2005, p2554-2576.This paper subsumes Approximating the Smallest Grammar: Kolmogorov Complexity in Natural Models Moses Charikar,...

IEEE Transactions on Information Theory, Vol. 51, Issue 7, Jul 2005, p2554-2576.

This paper subsumes
Approximating the Smallest Grammar: Kolmogorov Complexity in Natural Models
Moses Charikar, Eric Lehman, Ding Liu, Rina Panigrahy, Manoj Prabhakaran, April Rasala, Amit Sahai, abhi shelat
STOC 2002
]]>  
  This is a natural question about a fundamental object connected to many fields, including data compression, Kolmogorov complexity, pattern identification, and addition chains.

Due to the problem's inherent complexity, our objective is to find an approximation algorithm which finds a {\em small} grammar for the input string.  We focus attention on the {\em approximation ratio} of the algorithm (and implicitly, worst-case behavior) to establish provable performance guarantees and to address short-comings in the classical measure of {\em redundancy} in the literature.

Our first results are a variety of hardness results, most notably that every efficient algorithm for the smallest grammar problem has approximation ratio at least $\frac{8569}{8568}$ unless $P = NP$.

We then bound approximation ratios for several of the best-known grammar-based compression algorithms, including {\sc LZ78}, {\sc  Bisection}, {\sc Sequential}, {\sc Longest Match}, {\sc Greedy}, and {\sc Re-Pair}.  Among these, the best upper bound we show is $O(n^{1/2})$.

We finish by presenting two novel algorithms with exponentially better ratios of $O(\log^3 n)$ and $O(\log(n / m^*))$, where $m^*$ is the size of the smallest grammar for that input.  The latter highlights a connection between grammar-based compression and {\sc LZ77}.


[PDF]

]]>