Results 1  10
of
43
Secure multiparty computation of approximations
, 2001
"... Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the ..."
Abstract

Cited by 98 (24 self)
 Add to MetaCart
Approximation algorithms can sometimes provide efficient solutions when no efficient exact computation is known. In particular, approximations are often useful in a distributed setting where the inputs are held by different parties and may be extremely large. Furthermore, for some applications, the parties want to compute a function of their inputs securely, without revealing more information than necessary. In this work we study the question of simultaneously addressing the above efficiency and security concerns via what we call secure approximations. We start by extending standard definitions of secure (exact) computation to the setting of secure approximations. Our definitions guarantee that no additional information is revealed by the approximation beyond what follows from the output of the function being approximated. We then study the complexity of specific secure approximation problems. In particular, we obtain a sublinearcommunication protocol for securely approximating the Hamming distance and a polynomialtime protocol for securely approximating the permanent and related #Phard problems. 1
Extending Oblivious Transfers Efficiently
, 2003
"... We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, ..."
Abstract

Cited by 57 (1 self)
 Add to MetaCart
We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers \for free," can one implement a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a oneway function. However, this protocol is inecient in practice, in part due to its nonblackbox use of the underlying oneway function.
Secure Computation of the kthRanked Element
 In Avdances in Cryptology  Proc. of Eurocyrpt ’04
, 2004
"... Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the twoparty case, we show tha ..."
Abstract

Cited by 48 (7 self)
 Add to MetaCart
Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the twoparty case, we show that the k ranked element can be computed in log k rounds, where the computation and communication costs of each round are O(log M), where log M is the number of bits needed to describe each element of the input data.
Selective private function evaluation with applications to private statistics
 In Proceedings of Twentieth ACM Symposium on Principles of Distributed Computing (PODC
, 2001
"... Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , fo ..."
Abstract

Cited by 44 (9 self)
 Add to MetaCart
Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database z = zt,...,z, in order to compute f(z~t,...,z~,,,) , for some function f and indices i = it,...,i, ~ chosen by the client. Ideally, the client must learn nothing more about the database than f(zit,..., zi,,~), and the servers should learn nothing. Generic solutions for this problem, based on standard techniques for secure function evaluation, incur communication complexity that is at least linear in n, making them prohibitive for large databases even when f is relatively simple and m is small. We present various approaches for constructing sublinearcommunication $PFE protocols, both for the general problem and for special cases of interest. Our solutions not only offer sublinear communication complexity, but are also practical in many scenarios. 1.
On 2Round Secure Multiparty Computation
 In Proc. Crypto ’02
, 2002
"... Abstract. Substantial efforts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure pointtopoint chan ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
Abstract. Substantial efforts have been spent on characterizing the round complexity of various cryptographic tasks. In this work we study the round complexity of secure multiparty computation in the presence of an active (Byzantine) adversary, assuming the availability of secure pointtopoint channels and a broadcast primitive. It was recently shown that in this setting three rounds are sufficient for arbitrary secure computation tasks, with a linear security threshold, and two rounds are sufficient for certain nontrivial tasks. This leaves open the question whether every function can be securely computed in two rounds. We show that the answer to this question is “no”: even some very simple functions do not admit secure 2round protocols (independently of their communication and time complexity) and thus 3 is the exact round complexity of general secure multiparty computation. Yet, we also present some positive results by identifying a useful class of functions which can be securely computed in two rounds. Our results apply both to the informationtheoretic and to the computational notions of security.
Secure computation of the k th ranked element
 In Avdances in Cryptology  Proc. of Eurocyrpt ’04
, 2004
"... Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k thranked element of the union of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the tw ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
Given two or more parties possessing large, confidential datasets, we consider the problem of securely computing the k thranked element of the union of the datasets, e.g. the median of the values in the datasets. We investigate protocols with sublinear computation and communication costs. In the twoparty case, we show that the k thranked element can be computed in logk rounds, where the computation and communication costs of each round are O ¡ logM ¢ , where logM is the number of bits needed to describe each element of the input data. The protocol can be made secure against a malicious adversary, and can hide the sizes of the original datasets. In the multiparty setting, we show that the k thranked element can be computed in logM rounds, with O ¡ slogM ¢ overhead per round, where s is the number of parties. The multiparty protocol can be used in the twoparty case and can also be made secure against a malicious adversary. 1
Evaluating branching programs on encrypted data
 In TCC 2007
, 2007
"... Abstract. We present a publickey encryption scheme with the following properties. Given a branching program P and an encryption c of an input x, it is possible to efficiently compute a succinct ciphertext c ′ from which P (x) can be efficiently decoded using the secret key. The size of c ′ depends ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
Abstract. We present a publickey encryption scheme with the following properties. Given a branching program P and an encryption c of an input x, it is possible to efficiently compute a succinct ciphertext c ′ from which P (x) can be efficiently decoded using the secret key. The size of c ′ depends polynomially on the size of x and the length of P, but does not further depend on the size of P. As interesting special cases, one can efficiently evaluate finite automata, decision trees, and OBDDs on encrypted data, where the size of the resulting ciphertext c ′ does not depend on the size of the object being evaluated. These are the first general representation models for which such a feasibility result is shown. Our main construction generalizes the approach of Kushilevitz and Ostrovsky (FOCS 1997) for constructing singleserver Private Information Retrieval protocols. We also show how to strengthen the above so that c ′ does not contain additional information about P (other than P (x) for some x) even if the public key and the ciphertext c are maliciously formed. This yields a twomessage secure protocol for evaluating a lengthbounded branching program P held by a server on an input x held by a client. A distinctive feature of this protocol is that it hides the size of the server’s input P from the client. In particular, the client’s work is independent of the size of P. 1
Privacy Preserving Error Resilient DNA Searching through Oblivious Automata
"... Human DesoxyriboNucleic Acid (DNA) sequences offer a wealth of information that reveal, among others, predisposition to various diseases and paternity relations. The breadth and personalized nature of this information highlights the need for privacypreserving protocols. In this paper, we present a ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Human DesoxyriboNucleic Acid (DNA) sequences offer a wealth of information that reveal, among others, predisposition to various diseases and paternity relations. The breadth and personalized nature of this information highlights the need for privacypreserving protocols. In this paper, we present a new errorresilient privacypreserving string searching protocol that is suitable for running private DNA queries. This protocol checks if a short template (e.g., a string that describes a mutation leading to a disease), known to one party, is present inside a DNA sequence owned by another party, accounting for possible errors and without disclosing to each party the other party’s input. Each query is formulated as a regular expression over a finite alphabet and implemented as an automaton. As the main technical contribution, we provide a protocol that allows to execute any finite state machine in an oblivious manner, requiring a communication complexity which is linear both in the number of states and the length of the input string. Categories and Subject Descriptors
Y.: Constantround multiparty computation using a blackbox pseudorandom generator
 In: CRYPTO. LNCS
, 2005
"... Abstract. We present a constantround protocol for general secure multiparty computation which makes a blackbox use of a pseudorandom generator. In particular, the protocol does not require expensive zeroknowledge proofs and its communication complexity does not depend on the computational complexi ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
Abstract. We present a constantround protocol for general secure multiparty computation which makes a blackbox use of a pseudorandom generator. In particular, the protocol does not require expensive zeroknowledge proofs and its communication complexity does not depend on the computational complexity of the underlying cryptographic primitive. Our protocol withstands an active, adaptive adversary corrupting a minority of the parties. Previous constantround protocols of this type were only known in the semihonest model or for restricted classes of functionalities. 1
Oblivious Polynomial Evaluation
 SIAM J. Comput
, 2006
"... Oblivious polynomial evaluation is a protocol involving two parties, a sender whose input is a polynomial P, and a receiver whose input is a value α. At the end of the protocol the receiver learns P (α) and the sender learns nothing. We describe efficient constructions for this protocol, which are b ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
Oblivious polynomial evaluation is a protocol involving two parties, a sender whose input is a polynomial P, and a receiver whose input is a value α. At the end of the protocol the receiver learns P (α) and the sender learns nothing. We describe efficient constructions for this protocol, which are based on new intractability assumptions that are closely related to noisy polynomial reconstruction. Oblivious polynomial evaluation can be used as a primitive in many applications. We describe several such applications, including protocols for private comparison of data, for mutually authenticated key exchange based on (possibly weak) passwords, and for anonymous coupons. 1