Results 1  10
of
113
Multiparty Computation from Threshold Homomorphic Encryption
, 2001
"... Abstract. We introduce a new approach to multiparty computation (MPC) basing it on homomorphic threshold cryptosystems. We show that given keys for any sufficiently efficient system of this type, general MPC protocols for n parties can be devised which are secure against an active adversary that co ..."
Abstract

Cited by 133 (14 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a new approach to multiparty computation (MPC) basing it on homomorphic threshold cryptosystems. We show that given keys for any sufficiently efficient system of this type, general MPC protocols for n parties can be devised which are secure against an active adversary that corrupts any minority of the parties. The total number of bits broadcast is O(nkC), where k is the security parameter and C  is the size of a (Boolean) circuit computing the function to be securely evaluated. An earlier proposal by Franklin and Haber with the same complexity was only secure for passive adversaries, while all earlier protocols with active security had complexity at least quadratic in n. We give two examples of threshold cryptosystems that can support our construction and lead to the claimed complexities. 1
Efficient Private Bidding and Auctions with an Oblivious Third Party
 In Proceedings of the 6th ACM conference on Computer and communications security
, 1999
"... We describe a novel and efficient protocol for the following problem: A wants to buy some good from B if the price is less than a. B would like to sell, but only for more than b, and neither of them wants to reveal the secret bounds. Will the deal take place? Our solution uses an oblivious third ..."
Abstract

Cited by 95 (1 self)
 Add to MetaCart
We describe a novel and efficient protocol for the following problem: A wants to buy some good from B if the price is less than a. B would like to sell, but only for more than b, and neither of them wants to reveal the secret bounds. Will the deal take place? Our solution uses an oblivious third party T who learns no information about a or b, not even whether a ? b. The protocol needs only a single round of interaction, ensures fairness, and is not based on general circuit evaluation techniques. It uses a novel construction, which combines homomorphic encryption with the \Phihiding assumption and which may be of independent interest. Applications include bargaining between two parties and secure and efficient auctions in the absence of a fully trusted auction service.
Separating random oracle proofs from complexity theoretic proofs: The noncommitting encryption case
 IN PROCEEDINGS OF CRYPTO ’02, LNCS SERIES
, 2002
"... We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. n ..."
Abstract

Cited by 81 (3 self)
 Add to MetaCart
We show that there exists a natural protocol problem which has a simple solution in the randomoracle (RO) model and which has no solution in the complexitytheoretic (CT) model, namely the problem of constructing a noninteractive communication protocol secure against adaptive adversaries a.k.a. noninteractive noncommitting encryption. This separation between the models is due to the socalled programability of the random oracle. We show this by providing a formulation of the RO model in which the oracle is not programmable, and showing that in this model, there does not exist noninteractive noncommitting encryption.
The Dining Cryptographers in the Disco: Unconditional Sender and Recipient Untraceability with Computationally Secure Serviceability
, 1989
"... In Journal of Cryptology 1/1 (1988) 6575 ( = [Chau_88]), David Chaum describes a beautiful technique, the DCnet, which should allow participants to send and receive messages anonymously in an arbitrary network. The untraceability of the senders is proved to be unconditional, but that of the recipi ..."
Abstract

Cited by 67 (1 self)
 Add to MetaCart
In Journal of Cryptology 1/1 (1988) 6575 ( = [Chau_88]), David Chaum describes a beautiful technique, the DCnet, which should allow participants to send and receive messages anonymously in an arbitrary network. The untraceability of the senders is proved to be unconditional, but that of the recipients implicitly assumes a reliable broadcast network. This assumption is unrealistic in some networks, but it can be removed completely by using the failstop key generation schemes by Waidner (these proceedings, = [Waid_89]). In both cases, however, each participant can untraceably and permanently disrupt the entire DCnet. We present a protocol which guarantees unconditional untraceability, the original goal of the DCnet, on the inseparability assumption (i.e. the attacker must be unable to prevent honest participants from communicating, which is considerably less than reliable broadcast), and computationally secure serviceability: Computationally restricted disrupters can be identified and removed from the DCnet. On the one hand, our solution is based on the lovely idea by David Chaum [Chau_88 § 2.5] of setting traps for disrupters. He suggests a scheme to guarantee unconditional untraceability and computationally secure serviceability, too, but on the reliable broadcast assumption. The same scheme seems to be used by
Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared SafePrime Products
, 2002
"... We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where th ..."
Abstract

Cited by 58 (0 self)
 Add to MetaCart
(Show Context)
We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where the modulus is the product of two safe primes, much more efficiently than was previously known.
AccountableSubgroup Multisignatures
 In Proceedings of CCS 2001
, 2000
"... Formal models and security proofs are especially important for multisignatures: in contrast to threshold signatures, no precise definitions were ever provided for such schemes, and some proposals were subsequently broken. ..."
Abstract

Cited by 49 (2 self)
 Add to MetaCart
Formal models and security proofs are especially important for multisignatures: in contrast to threshold signatures, no precise definitions were ever provided for such schemes, and some proposals were subsequently broken.
Unconditional Sender and Recipient Untraceability in spite of Active Attacks
, 1989
"... . A protocol is described which allows to send and receive messages anonymously using an arbitrary communication network, and it is proved to be unconditionally secure. This improves a result by DAVID CHAUM: The DCnet guarantees the same, but on the assumption of a reliable broadcast network. Since ..."
Abstract

Cited by 42 (1 self)
 Add to MetaCart
. A protocol is described which allows to send and receive messages anonymously using an arbitrary communication network, and it is proved to be unconditionally secure. This improves a result by DAVID CHAUM: The DCnet guarantees the same, but on the assumption of a reliable broadcast network. Since unconditionally secure Byzantine Agreement cannot be achieved, such a reliable broadcast network cannot be realized by algorithmic means. The solution proposed here, the DC + net, uses the DCnet, but replaces the reliable broadcast network by a failstop one. By choosing the keys necessary for the DCnet dependently on the previously broadcast messages, the failstop broadcast can be achieved unconditionally secure and without increasing the complexity of the DCnet significantly, using an arbitrary communication network. Categories and Subject Descriptors: C.2.0 [ComputerCommunication Networks]: General  Security and protection, E.3 [Data Encryption], F.2.1 [Analysis of Algorithms...
Sharemind: a framework for fast privacypreserving computations. Cryptology ePrint Archive, Report 2008/289
, 2008
"... Abstract. Gathering and processing sensitive data is a difficult task. In fact, there is no common recipe for building the necessary information systems. In this paper, we present a provably secure and efficient generalpurpose computation system to address this problem. Our solution—SHAREMIND—is a ..."
Abstract

Cited by 41 (8 self)
 Add to MetaCart
Abstract. Gathering and processing sensitive data is a difficult task. In fact, there is no common recipe for building the necessary information systems. In this paper, we present a provably secure and efficient generalpurpose computation system to address this problem. Our solution—SHAREMIND—is a virtual machine for privacypreserving data processing that relies on share computing techniques. This is a standard way for securely evaluating functions in a multiparty computation environment. The novelty of our solution is in the choice of the secret sharing scheme and the design of the protocol suite. We have made many practical decisions to make largescale share computing feasible in practice. The protocols of SHAREMIND are informationtheoretically secure in the honestbutcurious model with three computing participants. Although the honestbutcurious model does not tolerate malicious participants, it still provides significantly increased privacy preservation when compared to standard centralised databases. 1
Lego for twoparty secure computation
 In Theory of Cryptography (TCC’09), volume 5444 of LNCS
, 2009
"... Abstract The first and still most popular solution for secure twoparty computation relies on Yao’s garbled circuits. Unfortunately, Yao’s construction provide security only against passive adversaries. Several constructions (zeroknowledge compiler, cutandchoose) are known in order to provide sec ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
Abstract The first and still most popular solution for secure twoparty computation relies on Yao’s garbled circuits. Unfortunately, Yao’s construction provide security only against passive adversaries. Several constructions (zeroknowledge compiler, cutandchoose) are known in order to provide security against active adversaries, but most of them are not efficient enough to be considered practical. In this paper we propose a new approach called LEGO (Large Efficient Garbledcircuit Optimization) for twoparty computation, which allows to construct more efficient protocols secure against active adversaries. The basic idea is the following: Alice constructs and provides Bob a set of garbled NAND gates. A fraction of them is checked by Alice giving Bob the randomness used to construct them. When the check goes through, with overwhelming probability there are very few bad gates among the nonchecked gates. These gates Bob permutes and connects to a Yao circuit, according to a faulttolerant circuit design which computes the desired function even in the presence of a few random faulty gates. Finally he evaluates this Yao circuit in the usual way. For large circuits, our protocol offers better performance than any other existing protocol.
From partial consistency to global broadcast
 IN STOC ’00: PROCEEDINGS OF
, 2000
"... This paper considers unconditionally secure protocols for reliable broadcast among a set of n players, some of which may be corrupted by an active (Byzantine) adversary. In the standard model with a complete, synchronous network of pairwise authentic communication channels among the players, broadca ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
(Show Context)
This paper considers unconditionally secure protocols for reliable broadcast among a set of n players, some of which may be corrupted by an active (Byzantine) adversary. In the standard model with a complete, synchronous network of pairwise authentic communication channels among the players, broadcast is achievable if and only if the number of corrupted players is less than n=3. We show that, by extending this model only by the existence of a broadcast channel among three players, global broadcast is achievable if and only if the number of corrupted players is less than n=2. Moreover, for this an even weaker primitive than broadcast among three players is sufficient. All protocols are efficient.