Results 1  10
of
185
Protecting Data Privacy in Private Information Retrieval Schemes
 JCSS
"... Private Information Retrieval (PIR) schemes allow a user to retrieve the ith bit of an nbit data string x, replicated in k 2 databases (in the informationtheoretic setting) or in k 1 databases (in the computational setting), while keeping the value of i private. The main cost measure for suc ..."
Abstract

Cited by 107 (19 self)
 Add to MetaCart
Private Information Retrieval (PIR) schemes allow a user to retrieve the ith bit of an nbit data string x, replicated in k 2 databases (in the informationtheoretic setting) or in k 1 databases (in the computational setting), while keeping the value of i private. The main cost measure for such a scheme is its communication complexity.
Priced Oblivious Transfer: How to Sell Digital Goods
 In Birgit Pfitzmann, editor, Advances in Cryptology — EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science
, 2001
"... Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose s ..."
Abstract

Cited by 94 (5 self)
 Add to MetaCart
Abstract. We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose solutions which allow the buyer, after making an initial deposit, to engage in an unlimited number of priced oblivioustransfer protocols, satisfying the following requirements: As long as the buyer’s balance contains sufficient funds, it will successfully retrieve the selected item and its balance will be debited by the item’s price. However, the buyer should be unable to retrieve an item whose cost exceeds its remaining balance. The vendor should learn nothing except what must inevitably be learned, namely, the amount of interaction and the initial deposit amount (which imply upper bounds on the quantity and total price of all information obtained by the buyer). In particular, the vendor should be unable to learn what the buyer’s current balance is or when it actually runs out of its funds. The technical tools we develop, in the process of solving this problem, seem to be of independent interest. In particular, we present the first oneround (twopass) protocol for oblivious transfer that does not rely on the random oracle model (a very similar protocol was independently proposed by Naor and Pinkas [21]). This protocol is a special case of a more general “conditional disclosure ” methodology, which extends a previous approach from [11] and adapts it to the 2party setting. 1
SessionKey Generation using Human Passwords Only
, 2001
"... We present sessionkey generation protocols in a model where the legitimate parties share only a humanmemorizable password. The security guarantee holds with respect to probabilistic polynomialtime adversaries that control the communication channel (between the parties), and may omit, insert and ..."
Abstract

Cited by 76 (7 self)
 Add to MetaCart
We present sessionkey generation protocols in a model where the legitimate parties share only a humanmemorizable password. The security guarantee holds with respect to probabilistic polynomialtime adversaries that control the communication channel (between the parties), and may omit, insert and modify messages at their choice. Loosely speaking, the effect of such an adversary that attacks an execution of our protocol is comparable to an attack in which an adversary is only allowed to make a constant number of queries of the form “is w the password of Party A”. We stress that the result holds also in case the passwords are selected at random from a small dictionary so that it is feasible (for the adversary) to scan the entire directory. We note that prior to our result, it was not clear whether or not such protocols were attainable without the use of random oracles or additional setup assumptions.
Multiparty Computation with Faulty Majority
, 1989
"... Abstract. We address the problem of performing a multiparty computation when more than half of the processors are cooperating Byzantine faults. We show how to compute any boolean function of n inputs distributively, preserving the privacy of inputs held by nonfaulty processors, and ensuring that fau ..."
Abstract

Cited by 75 (4 self)
 Add to MetaCart
Abstract. We address the problem of performing a multiparty computation when more than half of the processors are cooperating Byzantine faults. We show how to compute any boolean function of n inputs distributively, preserving the privacy of inputs held by nonfaulty processors, and ensuring that faulty processors obtain the function value “if and only if ” the nonfaulty processors do. If the nonfaulty processors do not obtain the correct function value, they detect cheating with high probability. Our solution is based on a new type of verifiable secret sharing in which the secret is revealed not all at once but in small increments. This slowrevealing process ensures that all processors discover the secret at roughly the same time. Our solution assumes the existence of an oblivious transfer protocol and uses broadcast channels. We do not require that the processors have equal computing power. 1
Practical Quantum Oblivious Transfer
, 1992
"... We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about ..."
Abstract

Cited by 73 (12 self)
 Add to MetaCart
We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he will learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol is easy to modify in order to implement the AllorNothing Disclosure of one out of two string messages, and it can be used to implement bit commitment and oblivious circuit evaluation without complexitytheoretic assumptions, in a way that remains secure e...
An Efficient Protocol for Secure TwoParty Computation in the Presence of Malicious Adversaries
 In EUROCRYPT 2007, SpringerVerlag (LNCS 4515
, 2007
"... We show an efficient secure twoparty protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semihonest adversaries, and can be transformed into a protocol that achieves security against malicious adver ..."
Abstract

Cited by 73 (10 self)
 Add to MetaCart
We show an efficient secure twoparty protocol, based on Yao’s construction, which provides security against malicious adversaries. Yao’s original protocol is only secure in the presence of semihonest adversaries, and can be transformed into a protocol that achieves security against malicious adversaries by applying the compiler of Goldreich, Micali and Wigderson (the “GMW compiler”). However, this approach does not seem to be very practical as it requires using generic zeroknowledge proofs. Our construction is based on applying cutandchoose techniques to the original circuit and inputs. Security is proved according to the ideal/real simulation paradigm, and the proof is in the standard model (with no random oracle model or common reference string assumptions). The resulting protocol is computationally efficient: the only usage of asymmetric cryptography is for running O(1) oblivious transfers for each input bit (or for each bit of a statistical security parameter, whichever is larger). Our protocol combines techniques from folklore (like cutandchoose) along with new techniques for efficiently proving consistency of inputs. We remark that a naive implementation of the cutandchoose technique with Yao’s protocol does not yield a
Cryptographic Techniques for PrivacyPreserving Data Mining
 SIGKDD Explorations
, 2002
"... Research in secure distributed computation, which was done as part of a larger body of research in the theory of cryptography, has achieved remarkable results. It was shown that nontrusting parties can jointly compute functions of their different inputs while ensuring that no party learns anything ..."
Abstract

Cited by 65 (0 self)
 Add to MetaCart
Research in secure distributed computation, which was done as part of a larger body of research in the theory of cryptography, has achieved remarkable results. It was shown that nontrusting parties can jointly compute functions of their different inputs while ensuring that no party learns anything but the defined output of the function. These results were shown using generic constructions that can be applied to any function that has an ecient representation as a circuit. We describe these results, discuss their efficiency, and demonstrate their relevance to privacy preserving computation of data mining algorithms. We also show examples of secure computation of data mining algorithms that use these generic constructions.
Privacy Preserving Keyword Searches on Remote Encrypted Data
, 2004
"... We consider the following problem: a user wants to store his files in an encrypted form on a remote file server S. ..."
Abstract

Cited by 64 (0 self)
 Add to MetaCart
We consider the following problem: a user wants to store his files in an encrypted form on a remote file server S.
A cryptographic solution to a game theoretic problem
 In CRYPTO 2000: 20th International Cryptology Conference
, 2000
"... Abstract. In this work we use cryptography to solve a gametheoretic problem which arises naturally in the area of two party strategic games. The standard gametheoretic solution concept for such games is that of an equilibrium, which is a pair of “selfenforcing ” strategies making each player’s st ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Abstract. In this work we use cryptography to solve a gametheoretic problem which arises naturally in the area of two party strategic games. The standard gametheoretic solution concept for such games is that of an equilibrium, which is a pair of “selfenforcing ” strategies making each player’s strategy an optimal response to the other player’s strategy. It is known that for many games the expected equilibrium payoffs can be much higher when a trusted third party (a “mediator”) assists the players in choosing their moves (correlated equilibria), than when each player has to choose its move on its own (Nash equilibria). It is natural to ask whether there exists a mechanism that eliminates the need for the mediator yet allows the players to maintain the high payoffs offered by mediatorassisted strategies. We answer this question affirmatively provided the players are computationally bounded and can have free communication (socalled “cheap talk”) prior to playing the game. The main building block of our solution is an efficient cryptographic protocol to the following Correlated Element Selection problem, which is of independent interest. Both Alice and Bob know a list of pairs (a1, b1)... (an, bn) (possibly with repetitions), and they want to pick a random index i such that Alice learns only ai and Bob learns only bi. Our solution to this problem has constant number of rounds, negligible error probability, and uses only very simple zeroknowledge proofs. We then show how to incorporate our cryptographic protocol back into a gametheoretic setting, which highlights some interesting parallels between cryptographic protocols and extensive form games. 1
Extending Oblivious Transfers Efficiently
, 2003
"... We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, ..."
Abstract

Cited by 58 (1 self)
 Add to MetaCart
We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, in part due to its nonblackbox use of the underlying oneway function.