Results 1 - 10
of
15
Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer
- In the 8th TCC, Springer (LNCS 6597
, 2011
"... Protocols for secure two-party computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of two-party compu ..."
Abstract
-
Cited by 62 (8 self)
- Add to MetaCart
Protocols for secure two-party computation enable a pair of parties to compute a function of their inputs while preserving security properties such as privacy, correctness and independence of inputs. Recently, a number of protocols have been proposed for the efficient construction of two-party computation secure in the presence of malicious adversaries (where security is proven under the standard simulation-based ideal/real model paradigm for defining security). In this paper, we present a protocol for this task that follows the methodology of using cut-and-choose to boost Yao’s protocol to be secure in the presence of malicious adversaries. Relying on specific assumptions (DDH), we construct a protocol that is significantly more efficient and far simpler than the protocol of Lindell and Pinkas (Eurocrypt 2007) that follows the same methodology. We provide an exact, concrete analysis of the efficiency of our scheme and demonstrate that (at least for not very small circuits) our protocol is more efficient than any other known today. secure two-party computation, malicious adversaries, cut-and-choose, concrete effi-Keywords: ciency
From secrecy to soundness: efficient verification via secure computation
- In Proceedings of the 37th international colloquium conference on Automata, languages and programming
, 2010
"... Abstract. We study the problem of verifiable computation (VC) in which a computationally weak client wishes to delegate the computation of a function f on an input x to a computationally strong but untrusted server. We present new general approaches for constructing VC proto-cols, as well as solving ..."
Abstract
-
Cited by 46 (4 self)
- Add to MetaCart
Abstract. We study the problem of verifiable computation (VC) in which a computationally weak client wishes to delegate the computation of a function f on an input x to a computationally strong but untrusted server. We present new general approaches for constructing VC proto-cols, as well as solving the related problems of program checking and self-correcting. The new approaches reduce the task of verifiable com-putation to suitable variants of secure multiparty computation (MPC) protocols. In particular, we show how to efficiently convert the secrecy property of MPC protocols into soundness of a VC protocol via the use of a message authentication code (MAC). The new connections allow us to apply results from the area of MPC towards simplifying, unifying, and improving over previous results on VC and related problems. In particular, we obtain the following concrete applications: (1) The first VC protocols for arithmetic computations which only make a black-box use of the underlying field or ring; (2) a non-interactive VC protocol for boolean circuits in the preprocessing model, conceptually simplify-ing and improving the online complexity of a recent protocol of Gen-naro et al. (Cryptology ePrint Archive: Report 2009/547); (3) NC0 self-correctors for complete languages in the complexity class NC1 and var-ious log-space classes, strengthening previous AC0 correctors of Gold-wasser et al. (STOC 2008). 1
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries ∗
, 2013
"... In the setting of secure two-party computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure two-party computation is that of Yao’s garbled circuits (FOCS 1986). In the sem ..."
Abstract
-
Cited by 29 (3 self)
- Add to MetaCart
(Show Context)
In the setting of secure two-party computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure two-party computation is that of Yao’s garbled circuits (FOCS 1986). In the semi-honest model, where just one garbled circuit is constructed and evaluated, Yao’s protocol has proven itself to be very efficient. However, a malicious adversary who constructs the garbled circuit may construct a garbling of a different circuit computing a different function, and this cannot be detected (due to the garbling). In order to solve this problem, many circuits are sent and some of them are opened to check that they are correct while the others are evaluated. This methodology, called cut-and-choose, introduces significant overhead, both in computation and in communication, and is mainly due to the number of circuits that must be used in order to prevent cheating. In this paper, we present a cut-and-choose protocol for secure computation based on garbled circuits, with security in the presence of malicious adversaries, that vastly improves on all previous protocols of this type. Concretely, for a cheating probability of at most 2−40, the best previous works send between 125 and 128 circuits. In contrast, in our protocol 40 circuits alone suffice (with some additional overhead). Asymptotically, we achieve a cheating probability of 2−s where s is the number of garbled circuits, in contrast to the previous best of 2−0.32s. We achieve this by introducing a new cut-and-choose methodology with the property that in order to cheat, all of the evaluated circuits must be incorrect, and not just the majority as in previous works. Keywords: two-party computation, Yao’s protocol, cut-and-choose, concrete efficiency
The IPS Compiler: Optimizations, Variants and Concrete Efficiency
, 2011
"... In recent work, Ishai, Prabhakaran and Sahai (CRYPTO 2008) presented a new compiler (hereafter the IPS compiler) for constructing protocols that are secure in the presence of malicious adversaries without an honest majority from protocols that are only secure in the presence of semi-honest adversari ..."
Abstract
-
Cited by 19 (1 self)
- Add to MetaCart
In recent work, Ishai, Prabhakaran and Sahai (CRYPTO 2008) presented a new compiler (hereafter the IPS compiler) for constructing protocols that are secure in the presence of malicious adversaries without an honest majority from protocols that are only secure in the presence of semi-honest adversaries. The IPS compiler has many important properties: it provides a radically different way of obtaining security in the presence of malicious adversaries with no honest majority, it is black-box in the underlying semi-honest protocol, and it has excellent asymptotic efficiency. In this paper, we study the IPS compiler from a number different angles. We present an efficiency improvement of the “watchlist setup phase ” of the compiler that also facilitates a simpler and tighter analysis of the cheating probability. In addition, we present a conceptually simpler variant that uses protocols that are secure in the presence of covert adversaries as its basic building block. This variant can be used to achieve more efficient asymptotic security, as we show regarding black-box constructions of malicious oblivious transfer from semi-honest oblivious transfer. In addition, it deepens our understanding of the model of security in the presence of covert adversaries. Finally, we analyze the IPS compiler from a concrete efficiency perspective and demonstrate that in some cases it can be competitive with the best efficient protocols currently known.
SHADE: Secure HAmming DistancE computation from oblivious transfer
, 2012
"... We introduce two new schemes for securely computing Hamming distance in the two-party setting. Our first scheme is a very efficient protocol, based solely on 1-out-of-2 Oblivious Transfer, that achieves full security in the semi-honest setting and one-sided security in the malicious setting. Moreov ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
We introduce two new schemes for securely computing Hamming distance in the two-party setting. Our first scheme is a very efficient protocol, based solely on 1-out-of-2 Oblivious Transfer, that achieves full security in the semi-honest setting and one-sided security in the malicious setting. Moreover we show that this protocol is significantly more efficient than the previous proposals, that are either based on garbled circuits or on homomorphic encryption. Our second scheme achieves full security against malicious adversaries and is based on Committed Oblivious Transfer. These protocols have direct applications to secure biometric identification.
From Dust to Dawn: Practically Efficient Two-Party Secure Function Evaluation Protocols and their Modular Design
, 2010
"... General two-party Secure Function Evaluation (SFE) allows mutually distrusting parties to (jointly) correctly compute any function on their private input data, without revealing the inputs. SFE, properly designed, guarantees to satisfy the most stringent security requirements, even for interactive ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
General two-party Secure Function Evaluation (SFE) allows mutually distrusting parties to (jointly) correctly compute any function on their private input data, without revealing the inputs. SFE, properly designed, guarantees to satisfy the most stringent security requirements, even for interactive computation. Two-party SFE can benefit almost any client-server interaction where privacy is required, such as privacy-preserving credit checking, medical classification, or face recognition. Today, SFE is subject of an immense amount of research in a variety of directions, and is not easy to navigate. In this paper, we systematize the most practically important work of the vast research knowledge on general SFE. It turns out that the most efficient SFE protocols today are obtained by combining several basic techniques, such as garbled circuits and homomorphic encryption. We limit our detailed discussion to efficient general techniques. In particular, we do not discuss the details of currently practically inefficient techniques, such as fully homomorphic encryption (although we elaborate on its practical relevance), nor do we cover specialized techniques applicable only to small classes of functions. As an important practical contribution, we present a framework in which today’s practically most
Efficiently Outsourcing Multiparty Computation under Multiple Keys
"... Abstract. Secure Multiparty Computation (SMC) enables a set of users to evaluate certain functionalities on their respective inputs while keeping these inputs encrypted throughout the computation. Inmanyscenarios, however, outsourcingthesecomputations toanuntrustedserver is desirable, sothattheserve ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Secure Multiparty Computation (SMC) enables a set of users to evaluate certain functionalities on their respective inputs while keeping these inputs encrypted throughout the computation. Inmanyscenarios, however, outsourcingthesecomputations toanuntrustedserver is desirable, sothattheservercanperform thecomputationonbehalfoftheusers.Unfortunately, existing solutions are either inefficient, rely heavily on user interaction, or require the inputs to be encrypted under the same key—drawbacks making the employment in practice very limited. We propose the first general-purpose construction that avoids all these drawbacks: it is efficient, it requires no user interaction whatsoever (except for data up- and download), and it allows evaluating any dynamically chosen function on inputs encrypted under different independent public keys. Our solution assumes the existence of two non-colluding but untrusted servers that jointly perform the computation by means of a cryptographic protocol. This protocol is provably secure in the semi-honest model. We demonstrate the applicability of our result in two real-world scenarios from different domains: Privacy-Preserving Face Recognition and Private Smart Metering. Finally, we give a performance analysis of our general-purpose construction to highlight its practicability.
Efficient Secure Two-Party Exponentiation
, 2011
"... We present a new framework to design secure two-party computation protocols for exponentiation over integers and over ZQ where Q is a publicly-known prime. Using our framework, we realize efficient protocols in the semi-honest setting. Assuming the base is non-zero, and the exponent is at most Q/2 f ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
(Show Context)
We present a new framework to design secure two-party computation protocols for exponentiation over integers and over ZQ where Q is a publicly-known prime. Using our framework, we realize efficient protocols in the semi-honest setting. Assuming the base is non-zero, and the exponent is at most Q/2 for the ZQ case, our protocols consist of at most 5 rounds (each party sending 5 messages) and the total communication consists of a small constant number ( ≤ 18) of encrypted/encoded elements in ZQ. Without these assumptions, our protocols are still more efficient than a protocol recently proposed by Damg˚ard et al. in TCC 2006 (24 vs.> 114 rounds, ≈ 279ℓ+12t foranerrorrateof2 −t vs.> 110ℓ log ℓ secure multiplications, where ℓ is the bit length of the shares). Our protocols are constructed from different instantiations of our framework with different assumptions (homomorphic encryption or oblivious transfers) to achieve different advantages. Our key idea is to exploit the properties of both additive and multiplicative secret sharing. We also propose efficient transformation protocols between these sharings, which might be of independent interest.
Statistical Impossibility Results for Oblivious Transfer Reductions
"... Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multi-party computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such a ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multi-party computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (error-free) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC ’96) or by Dodis and Micali (EUROCRYPT ’99). But since in practice one is usually willing to tolerate a small probability of error and since these statistical reductions can be much more efficient, the known bounds have only limited application. In this work we provide lower bounds on the efficiency of 1-out-of-n OT and Rabin-OT reductions to distributed randomness in the statistical case. From these results we derive bounds on reductions to different variants of OT that generalize known bounds to the statistical case. Our bounds hold in particular for transformations between a finite number of primitives and for any error. Keywords. Unconditional Security, Oblivious Transfer, Lower Bounds, Two-Party Computation. 1
PRIVACY-AWARE COLLABORATION AMONG UNTRUSTED RESOURCE CONSTRAINED DEVICES
, 2012
"... To Elizabeth and my parents. ..."
