Session-Key Generation Using Human Passwords Only

We present session-key generation protocols in a model where the legitimate parties share only a human-memorizable password, and there is no additional set-up assumption in the network. Our protocol is proven secure under the assumption that enhanced trapdoor permutations exist. The security guarantee holds with respect to probabilistic polynomial-time adversaries that control the communication channel (between the parties), and may omit, insert, and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable with an attack in which an adversary is only allowed to make a constant number of queries of the form "is w the password of Party A." We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not known whether or not such protocols were attainable without the use of random oracles or additional set-up assumptions.     

Influence of Obstacles on the Development of Gravity Current Prior to Backdraft

The phenomenon of backdraft is closely linked to the formation of a flammable region due to the mixing process between the unburned gases accumulated in the compartment and the fresh air entering the compartment through a recently created opening. The flow of incoming fresh air is called the gravity current. Gravity current prior to backdraft has already been studied, Fleischmann (1993, Backdraft phenomena, NIST-GCR-94-646. University of California, Berkeley) and Fleischmann (1999, Numerical and experimental gravity currents related to backdrafts, Fire Safety Journal); Weng et al. (2002, Exp Fluids 33:398–404), but all simulations and experiments found in the current literature are systematically based on a perfectly regular volume, usually parallelipedic in shape, without any piece of furniture or equipment in the compartment. Yet, various obstacles are normally found in real compartments and the question is whether they affect the gravity current velocity and the level of mixing between fresh and vitiated gases. In the work reported here, gravity current prior to backdraft in compartment with obstacles is investigated by means of three-dimensional CFD numerical simulations. These simulations use as a reference case the backdraft experiment test carried out by Gojkovic (2000, Initial Backdraft. Department of Fire Safety Engineering, Lunds Tekniska Högskola Universitet, Report 3121). The Froude number, the transit time and the ignition time are obtained from the computations and compared to the tests in order to validate the model.     

General Composition and Universal Composability in Secure Multiparty Computation

Concurrent general composition relates to a setting where a secure protocol is run in a network concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols are executed concurrently. Canetti (FOCS 2001) introduced the notion of universal composability and showed that security under this definition is sufficient for achieving concurrent general composition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (In newer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all its variants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of two-party functionalities for which it is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not “black-box,” and apply even to non-black-box simulation. Our main result also demonstrates that the definition of universal composability is somewhat “minimal” in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is not overly restrictive. An extended abstract of this work appeared in the 44th FOCS, 2003. Yehuda Lindell: Most of this work was carried out while the author was at the IBM T.J. Watson Research Center.     

Lower Bounds and Impossibility Results for Concurrent Self Composition

In the setting of concurrent self composition, a single protocol is executed many times concurrently in a network. In this paper, we prove lower bounds and impossibility results for secure protocols in this setting. First and foremost, we prove that there exist large classes of functionalities that cannot be securely computed under concurrent self composition, by any protocol. We also prove a communication complexity lower bound on protocols that securely compute a large class of functionalities in this setting. Specifically, we show that any protocol that computes a functionality from this class and remains secure for m concurrent executions, must have bandwidth of at least m bits. The above results are unconditional and hold for any type of simulation (i.e., even for non-black-box simulation). In addition, we prove a severe lower bound on protocols that are proven secure using black-box simulation. Specifically, we show that any protocol that computes the blind signature or oblivious transfer functionalities and remains secure for m concurrent executions, where security is proven via black-box simulation, must have at least m rounds of communication. Our results hold for the plain model, where no trusted setup phase is assumed. While proving our impossibility results, we also show that for many functionalities, security under concurrent self composition (where a single secure protocol is run many times) is actually equivalent to the seemingly more stringent requirement of security under concurrent general composition (where a secure protocol is run concurrently with other arbitrary protocols). This observation has significance beyond the impossibility results that are derived by it for concurrent self composition. This paper combines results that appeared in extended abstracts in Lindell (35th STOC, pp. 683–692, 2003; 1st Theory of Cryptography Conference (TOC), LNCS, vol. 2951, pp. 203–222, 2004).     

What is the role of fresh groundwater and recirculated seawater in conveying nutrients to the coastal ocean?

Submarine groundwater discharge (SGD) is a major process operating at the land-sea interface. Quantifying the SGD nutrient loads and the marine/terrestrial controls of this transport is of high importance, especially in oligotrophic seas such as the eastern Mediterranean. The fluxes of nutrients in groundwater discharging from the seafloor at Dor Bay (southeastern Mediterranean) were studied in detail using seepage meters. Our main finding is that the terrestrial, fresh groundwater is the main conveyor of DIN and silica to the coastal water, with loads of 500 and 560 mol/yr, respectively, per 1 m shoreline. Conversely, recirculated seawater is nutrient-poor, and its role is mainly as a dilution agent. The nutrient loads regenerated in the subterranean estuary (sub-bay sediment) are relatively small, consisting mostly of ammonium (24 mol/yr). On the other hand, the subterranean estuary at Dor Bay sequesters as much as 100 mol N/yr per 1 m shoreline, mainly via denitrification processes. These, and observations from other SGD sites, imply that the subterranean estuary at some coastal systems may function more as a sink for nitrogen than a source. This further questions the extent of nutrient contributions to the coastal water by some subterranean estuaries and warrants systematic evaluation of this process in various hydrological and marine trophic conditions.     

Secure Computation Without Authentication

Research on secure multiparty computation has mainly concentrated on the case where the parties can authenticate each other and the communication between them. This work addresses the question of what security can be guaranteed when authentication is not available. We consider a completely unauthenticated setting, where all messages sent by the parties may be tampered with and modified by the adversary without the uncorrupted parties being able to detect this fact. In this model, it is not possible to achieve the same level of security as in the authenticated-channel setting. Nevertheless, we show that meaningful security guarantees can be provided: Essentially, all the adversary can do is to partition the network into disjoint sets, where in each set the computation is secure in of itself, and also independent of the computation in the other sets. In this setting we provide, for the first time, nontrivial security guarantees in a model with no setup assumptions whatsoever. We also obtain similar results while guaranteeing universal composability, in some variants of the common reference string model. Finally, our protocols can be used to provide conceptually simple and unified solutions to a number of problems that were studied separately in the past, including password-based authenticated key exchange and nonmalleable commitments. As an application of our results, we study the question of constructing secure protocols in partially authenticated networks, where some of the links are authenticated, and some are not (as is the case in most networks today).