Abstracts (Currently Available) for Workshop Talks 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Title: On the fundaments of secure multiparty protocols (talk series)"

Speaker: Ran Canetti


The goal of this talk series is to present and discuss the foundations
of secure cryptographic protocols. I will first present definitions of
protocol security, and show how protocols can be composed securely.
Then I will use the above "framework" to take a fresh look at  some
basic general constructions of secure protocols. Naturally, this
presentation will be tainted by my personal viewpoint.  I hope it will
stir up fruitful discussion.

The series will consist of the following four parts. Each part may take
anywhere from 0.5-2 hours, depending mainly on the audience interest.

1. Definitions of multiparty secure protocols. There have been several
effors to come up with a set of definitions of security for multiparty
secure protocols, most notably by Micali-Rogaway, Goldwasser-Levin,
Beaver. I will concentrate on
a definitional approach that I have been involved in.
After presenting the general paradigm, I will describe definitions
for several adversary models (passive, active, static, adaptive,
information-theoretic, computational), and give hints on how this
approach can be  used to define security in other settings.
Lastly I will shortly review other definitional approaches.

2. Composition of secure protocols. I will show how protocols can be
composed in a way that maintains security. The composition method is
the natural one, namely subroutine substitution (as defined by Micali
and Rogaway). This will include formalizing the variants of the composition
theorem for the above adversary models, sketching the proof(s), and then
diving into the details until the audience cries for rescue.

3. Review the [BGW88] general construction of of secure protocols,
for the information theoretic setting with adaptive adversaries. The
presentation will be slightly different than the "standard" one, in that
the security of each component in the construction will be first proven
separately; then, the pieces will be put together, using the composition
theorem, to establish the security of the overall protocol.  Finally,
the composition theorem will be used again to show that encrypting each
message (using adaptively secure encryptions) results in secure protocols
in the computational ("insecure channels") setting.

4. Review the [GMW87] general construction for the computational setting
with static adversaries. Again, the various components are first
presented and proven separately, and then the security of the overall
protocol is established via the composition theorem.



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Title: SECURE PROTOCOLS WITH INVISIBLE TRUSTED PARTIES
Speaker: Silvio Micali

Many crucial protocol problems (e.g., secret exchange, contract signing,

and certified e-mail) involve a "symultaneous" exchange between just
two parties, but cannot be cleanly solved by two-party protocols.
Such protocol problems could often be solved with the help of a trusted
third party, but this might  generate congestions (in the network),
liabilities (for the third party) and costs (to the users).

We thus put forward and explore the power of an alternative model:
two-party protocols with an INVISIBLE TRUSTED PARTY, that is,
a party that does not participate in an ordinary execution, but, if
something goes wrong, can still take a simple action to complete
the execution properly. In particular, we show that Certified-E Mail
possesses a clean and practical solution in this model.


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


Title: Secure Multiparty Computation and Fault-Tolerant Quantum Computation.
Speaker: Michael Ben Or

Abstract:
In this talk I shall explain the natural connection between
these two "Fault-Tolerance" problems.



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Title: Multiuser Steganographic File Systems
Speaker: Adi Shamir

Abstract: In this talk we describe several implementations of
steganographic file systems, which give users a very high level
of protection against being compelled to disclose the contents
of their secret files, even when the opponent has full access to
the hardware and software of their computer, and can demand to
see a plausible explanation for any suspicious looking file in
their hard disk. We concentrate in particular on the harder case
of multiuser systems, in which each party can manipulate its
secret files in an arbitrary way without destroying the secret
files of other users, even when he doen't know where they are
stored or what is their contents.

Joint work with Ross Anderson and Roger Needham.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Title:  Distributed KDC 
Speaker: Benny Pinkas.

Network security is often based  on trusted intermediaries. In fact, using
such  intermediaries seems inevitable for any large network.  The use
of public key operations typically relies on trusted Certificate
Authorities (CAs), whereas networks whose security is only based on private
key  operations commonly use a Key Distribution Center (KDC).

The use of a single trusted party (CA or KDC) introduces availability
problems, whereas replicated copies of the trusted party are multiple
points of failure for the system security.

A much preferable approach which is captured in the notion of threshold
cryptography is the distribution of trust among several parties.
In this talk we consider the task of designing a distributed system of KDCs
(DKDC) that answers both the availability and the security problems.

Joint work with Moni Naor and Omer Reingold.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Title: Applications of Crypto and Multi-Party Computations to E-Commerce
Speaker: Amir Herzberg, 

The Internet offers direct, immediate connectivity among businesses and
individuals globally - providing the potential for more efficient markets
and processes. A major inhibitor is the lack of security, in particular,
the danger that some parties will not perform their roles as promised. Of
course, this scenario reminds us of multi-party computation models - or at
least the motivation part of the Introductions. In fact, we believe
cryptography and multi-party computation techniques could indeed be the key
to enabling secure e-commerce solutions.

In this brief informal presentation, we will mainly raise some questions
and try to stimulate discussion. In particular:
1. What are the important E-commerce scenarios which need cryptographic
solutions?
2. What additional analytical work is needed? (Answer: often we need more
efficient solutions; sometimes, we may have to extend the  foundations)



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Title: Span Programs with Multiplication

Speaker: Ronald Cramer




Monotone span programs (Karchmer and Wigderson), a linear algebra based model 
of computation, provide a powerful way of designing (linear) secret sharing 
schemes.

We enhance this model to extend its usefulness into the domain of general 
multiparty computation secure against non-threshold adveraries: monotone span 
programs with multiplication.

In this talk we introduce monotone span programs with multiplication, we 
completely classify which monotone Boolean functions are computable by them, 
and we give some upperbounds on their complexity in terms of certain monotone 
circuits. 

Finally, we show that for some concrete functions monotone span programs with 
multiplication are superpolynomially more efficient than monotone circuits.

Joint work (see also Damgaard's abstract) with Ivan Damgaard and Ueli Maurer.




%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


Title: Trading Correctness for Privacy
Speaker: Martin Hirt

Abstract:
This paper improves on the classical results in unconditionally secure
multi-party computation among a set of $n$ players, by considering a
model with three simultaneously occurring types of player corruption:
the adversary can actively corrupt (i.e. take full control over) up to
$t_a$ players, can passively corrupt (i.e. read the entire information
of) up to $t_p$ additional players and, can fail-corrupt (i.e. stop
the computation of) up to $t_f$ other players.  The classical results
are for the special cases of only passive ($t_a = t_f = 0$) or only
active ($t_p = t_f = 0$) corruption. In the passive case, every function
can be computed securely if and only if $t_p < n/2$. In the active case,
every function can be computed securely if and only if $t_a < n/3$; when
a broadcast channel is available, then this bound is $t_a < n/2$. These
bounds are tight.

Strictly improving these results, one of our results states that, in
addition to tolerating $t_a<n/3$ actively corrupted players, privacy
can be guaranteed against every minority, thus tolerating
{\em additional} $t_p <= n/6$ passively corrupted players. These
protocols require no broadcast and have an exponentially small failure
probability. When zero failure probability is required, privacy can be
maintained against any minority, but one can even tolerate $t_a <= n/4$
of these players to be corrupted actively.

Moreover, we characterize completely the achievable thresholds $t_a$,
$t_p$ and $t_f$ for four scenarios. Zero failure probability is
achievable if and only if $2t_a + 2t_p + t_f < n$ and
$3t_a + t_p + t_f < n$; this holds whether or not a broadcast channel
is available. Exponentially small failure probability with a broadcast
channel is achievable if and only if $2t_a + 2t_p + t_f < n$; without
broadcast, the additional condition $3t_a + t_f < n$ is necessary and
sufficient.


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


Title: Multiparty Computations against Non-Threshold Adversaries
Speaker: Ivan Damgaard

Abstract:
We introduce the idea of general, non-threshold adversaries (a concept
invented by Hirt and Maurer) in multiparty computations (MPC). Here, the
sets of players that may potentially be corrupt are not necessarily
specified only by their cardinality. We show that this leads to natural
scenarios where secure MPC is possible, but where earlier threshold
solutions do not suffice.
We present a set of primitives including homomorphic commitments and linear
secret sharing, sufficient for implementing a generic approach to general
MPC, valid in both the information theoretic and cryptographic scenarios.
We show how monotone span programs may be used to implement all the
required primitives in the information theoretic scenario, leading to
substantial - in some cases superpolynomial - efficiency improvement over
earlier solutions. We also briefly cover cryptographic implementations.


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

title:          Ups and downs of quantum cryptographic protocols
Author:         Claude Cr\'epeau
Affiliation:    School of Computer Science, McGill University

Abstract:
It has been recently shown by Mayers that no bit commitment is secure
if the participants have unlimited computational power and technology.
The main idea of the attack is that the cheater runs the protocol
on a quantum computer, replacing randomness by quantum superpositions,
and executes a measurement only if the outcome must be communicated. 
However it was noticed that a secure protocol could be
obtained by forcing the cheater to execute a measurement.
Similar situations had been encountered previously
in the design of Quantum Oblivious Transfer.

The question is whether a classical bit commitment could be used
for this specific purpose. We demonstrate that, surprisingly, many
classical unconditionally concealing bit commitments do not help.
However, we also identify a number of scenarios where quantum cryptographic
protocols still provide an improvement over their classical counterparts.

Joint work with, Gilles Brassard, Dominic Mayers, Louis Salvail


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Title: Zero Knowledge on the Internet

Speaker: Erez Petrank

Abstract:
We consider zero knowledge interactive proofs in a richer, more
realistic communication environment.  That is, one may simultaneously
engage in many interactive proofs, and these proofs may be take place
in an asynchronous fashion.  It is known that zero-knowledge is not
necessarily preserved in such an environment; we show that for a large
class of protocols, it {\em cannot} be preserved.  Any 4 round
nontrivial zero-knowledge interactive proof is not black-box
simulatable in the asynchronous setting.

This is joint work with Charles Rackoff and  Joe Kilian


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


Title: Toward Survivable Systems
Speaker: Mike Reiter,  AT&T Labs Research, Florham Park, NJ, USA

In this talk we survey the lessons learned from a five-year (and
counting) research program on survivable distributed systems.  By a
"survivable system", we mean one that can tolerate the malicious
penetration of some of its components and still function properly.
Survivability is key for building large-scale trustworthy information
infrastructures; indeed, the inability of critical infrastructures
today to survive electronic attacks is a cause of deep concern in
information warfare circles.  We describe new techniques we have
developed for achieving survivable systems in practice, as well as our
application of these techniques to problems such as electronic
auctions, public key infrastructure, and an electronic voting system
for Costa Rica's national elections.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Title : Extensions to Multi-Party Computations
Speaker: Michael Waidner 

Multiparty computation (MPC) is typically defined as distributed
function evaluation. Security means robustness and secrecy of the
individual inputs, and is defined relative to an ideal implementation using
a trusted host. We discuss several variants of MPC, motivated by practical
applications, and sketch how definitions would look like:

    * "Unfair MPC" provides some level of robustness even for a
      dishonest majority, and models, e.g., protocols for distributed
      key generation.
         All n parties cooperate as usual in order to evaluate a certain
      function, but a dishonest party can disrupt the computation before
      the honest parties receive the result. After each disruption the
      just identified disrupter is expelled and the protocol is repeated
      without him -- until it finally succeeds without any disruptions.

    * "Optimistic MPC" models, e.g., protocols for optimistic contract
      signing among multiple parties. Again, any party can disrupt the
      computation before the honest parties received the result. But now we
      do not repeat the computation until it succeeds but invoke a Trusted
      Third Party which is capable of doing the computation.

    * "Reactive MPC:" Each party consists of a user machine and a program   
      offering a certain service to the user. "Reactive" means that a user
      can consecutively supply inputs to his protocol and will get
      consecutively outputs which are the results of an interaction among
      all the programs.
         We discuss how to adapt the existing non-reactive trusted host 
      definitions to this setting.

    * "Individual integrity requirements:" For many reactive MPC problems 
      security can be defined without refering to a trusted host model,
      but still in a relatively general way: security is expressed in terms
      of temporal statements about the relations between inputs and outputs
      on the interfaces between users and programs.
         We discuss how one can define a general cryptographic semantics
      for such statements.

Joint with Birgit Pfitzmann 



----------------------------------+--------------------------------
Michael Waidner                   | Phone: +41-1-724 8220
IBM Research Division             | Fax:   +41-1-724 8953
Zurich Research Laboratory        | 
Manager Network Security          | mailto:wmi@zurich.ibm.com
Saeumerstrasse 4                  | Michael Waidner/Zurich/IBM
CH-8803 Rueschlikon, Switzerland  | http://www.zurich.ibm.com/~wmi/ 
----------------------------------+--------------------------------
PGP Fingerprint =  1B 6D A7 26 09 69 D2 3D  79 86 9C F6 13 92 F4 29
    Key available from http://www.zurich.ibm.com/~wmi/pgp.html
-------------------------------------------------------------------

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

List of Participants (Coming from Israel)
-----------------------------

Eli Biham    
Michael Ben-Or
Benny Chor
Man Eran
Uriel Feige 
Niv Gilboa
Shafi Goldwasser
Amir Hertberg
Yuval Ishai
Nissim Yaacov 
Hugo Krawczyk
Eyal Kushilevits
Nati Linial
Yoram Moses 
Moni Naor
Erez Petrank
Benny Pinkas
Michael Rabin
Ran Raz
Omer Reingold 
Adi Shamir
Avi Wigderson


List of Participants (Coming from Abroad )
------------------------------

Dan Boneh
Ran Canetti
Ronald Cramer
Claude Creapau
Ivan Damgaard
Martin Hirt
Joe Kilian
Silvio Micali
Mike Reiter
Ronitt Rubinfeld
Raphael Ryger
Rebbeca Wright
Michael Waidner 
Moti Yung