Results 1  10
of
32
Privacypreserving set operations
 in Advances in Cryptology  CRYPTO 2005, LNCS
, 2005
"... In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacypreserving computation; that is, no part ..."
Abstract

Cited by 103 (0 self)
 Add to MetaCart
In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacypreserving computation; that is, no party learns more information about other parties ’ private input sets than what can be deduced from the result. In this paper, we propose efficient techniques for privacypreserving operations on multisets. By employing the mathematical properties of polynomials, we build a framework of efficient, secure, and composable multiset operations: the union, intersection, and element reduction operations. We apply these techniques to a wide range of practical problems, achieving more efficient results than those of previous work.
Searchable Symmetric Encryption: Improved Definitions And . . .
 IN CCS
, 2006
"... Searchable symmetric encryption (SSE) allows a party to outsource the storage of his data to another party in a private manner, while maintaining the ability to selectively search over it. This problem has been the focus of active research and several security definitions and constructions have b ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
Searchable symmetric encryption (SSE) allows a party to outsource the storage of his data to another party in a private manner, while maintaining the ability to selectively search over it. This problem has been the focus of active research and several security definitions and constructions have been proposed. In this paper we review existing security definitions, pointing out their shortcomings, and propose two new stronger definitions which we prove equivalent. We then present two constructions that we show secure under our new definitions. Interestingly, in addition to satisfying stronger security guarantees, our constructions are more e#cient than all previous constructions. Further,
Efficient TwoParty Secure Computation on Committed Inputs
 In EUROCRYPT
, 2007
"... Abstract. We present an efficient construction of Yao’s “garbled circuits ” protocol for securely computing any twoparty circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and ..."
Abstract

Cited by 40 (2 self)
 Add to MetaCart
Abstract. We present an efficient construction of Yao’s “garbled circuits ” protocol for securely computing any twoparty circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (fourfive in the standard model, twothree in the random oracle model, depending on whether both parties receive the output), O(C) modular exponentiations per player, and a bandwidth of O(C) group elements, where C  is the size of the computed circuit. Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the CamenischShoup verifiable cryptosystem, which uses shorter keys, is unambiguous (it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key. Our second tool is a practical fourround (tworound in ROM) protocol for committed oblivious transfer on strings (stringCOT) secure against malicious participants. The stringCOT protocol takes a few exponentiations per player, and is UCsecure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (noncommitted) OT on strings. 1
Y.: Constantround multiparty computation using a blackbox pseudorandom generator
 In: CRYPTO. LNCS
, 2005
"... Abstract. We present a constantround protocol for general secure multiparty computation which makes a blackbox use of a pseudorandom generator. In particular, the protocol does not require expensive zeroknowledge proofs and its communication complexity does not depend on the computational complexi ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
Abstract. We present a constantround protocol for general secure multiparty computation which makes a blackbox use of a pseudorandom generator. In particular, the protocol does not require expensive zeroknowledge proofs and its communication complexity does not depend on the computational complexity of the underlying cryptographic primitive. Our protocol withstands an active, adaptive adversary corrupting a minority of the parties. Previous constantround protocols of this type were only known in the semihonest model or for restricted classes of functionalities. 1
Private and Threshold SetIntersection
 In Advances in Cryptology – CRYPTO ’05
, 2004
"... In this paper we consider the problem of privately computing the intersection of sets (setintersection), as well as several variations on this problem: cardinality setintersection, threshold setintersection, and overthreshold setintersection. Cardinality setintersection is the problem of deter ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
In this paper we consider the problem of privately computing the intersection of sets (setintersection), as well as several variations on this problem: cardinality setintersection, threshold setintersection, and overthreshold setintersection. Cardinality setintersection is the problem of determining the size of the intersection set, without revealing the actual threshold set. In threshold setintersection, only the elements which appear at least a threshold number t times in the players' private inputs are revealed. Overthreshold setintersection is a variation on threshold setintersection in which not only the threshold set is revealed, but also the number of times each element in the threshold set appeared in the private inputs. We propose protocols that are more...
Secure twoparty kmeans clustering
 In CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security
, 2007
"... The kMeans Clustering problem is one of the mostexplored problems in data mining to date. With the advent of protocols that have proven to be successful in performing single database clustering, the focus has changed in recent years to the question of how to extend the single database protocols to ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
The kMeans Clustering problem is one of the mostexplored problems in data mining to date. With the advent of protocols that have proven to be successful in performing single database clustering, the focus has changed in recent years to the question of how to extend the single database protocols to a multiple database setting. To date there have been numerous attempts to create specific multiparty kmeans clustering protocols that protect the privacy of each database, but according to the standard cryptographic definitions of “privacyprotection, ” so far all such attempts have fallen short of providing adequate privacy. In this paper we describe a TwoParty kMeans Clustering Protocol that guarantees privacy, and is more efficient than utilizing a general multiparty “compiler ” to achieve the same task. In particular, a main contribution of our result is a way to compute efficiently multiple iterations of kmeans clustering without revealing the intermediate values. To achieve this, we use novel techniques to perform twoparty division and sample uniformly at random from an unknown domain size. Our techniques are quite general and can be realized based on the existence of any semantically secure homomorphic encryption scheme. For concreteness, we describe our protocol based on Paillier Homomorphic Encryption scheme (see [23]). We will also demonstrate that our protocol is efficient in terms of communication, remaining competitive with existing protocols (such as [15]) that fail to protect privacy.
On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation
 IN ADVANCED IN CRYPTOLOGY — CRYPTO 2006, VOLUME 4117 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2006
"... In the setting of multiparty computation, a set of parties wish to jointly compute a function of their inputs, while preserving security in the case that some subset of them are corrupted. The typical security properties considered are privacy, correctness, independence of inputs, guaranteed output ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
In the setting of multiparty computation, a set of parties wish to jointly compute a function of their inputs, while preserving security in the case that some subset of them are corrupted. The typical security properties considered are privacy, correctness, independence of inputs, guaranteed output delivery and fairness. Until now, all works in this area either considered the case that the corrupted subset of parties constitutes a strict minority, or the case that a half or more of the parties are corrupted. Secure protocols for the case of an honest majority achieve full security and thus output delivery and fairness are guaranteed. However, the security of these protocols is completely compromised if there is no honest majority. In contrast, protocols for the case of no honest majority do not guarantee output delivery, but do provide privacy, correctness and independence of inputs for any number of corrupted parties. Unfortunately, an adversary controlling only a single party can disrupt the computation of these protocols and prevent output delivery. In this paper, we study the possibility of obtaining general protocols for multiparty computation that simultaneously guarantee security (allowing abort) in the case that an arbitrary number of parties are corrupted and full security (including guaranteed output delivery) in the case that only a minority of the parties are corrupted. That is, we wish to obtain the best of both worlds in a single protocol, depending on the corruption case. We obtain both positive and negative results on this question, depending on the type of the functionality to be computed (standard or reactive) and the type of dishonest majority (semihonest or malicious).
Cryptographically Private Support Vector Machines
 In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining
, 2006
"... We study the problem of private classification using kernel methods. ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
We study the problem of private classification using kernel methods.
Improved NonCommitting Encryption with Applications to Adaptively Secure Protocols
"... Abstract. We present a new construction of noncommitting encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2r ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Abstract. We present a new construction of noncommitting encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damg˚ard and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2round protocol, matching the round complexity of Canetti et al. and improving upon that in Damg˚ard and Nielsen. – Weaker assumptions. Our construction is based on trapdoor simulatable cryptosystems, a new primitive that we introduce as a relaxation of those used in previous works. We also show how to realize this primitive based on hardness of factoring. – Improved efficiency. The amortized complexity of encrypting a single bit is O(1) public key operations on a constantsized plaintext in the underlying cryptosystem. As a result, we obtain the first noncommitting publickey encryption schemes under hardness of factoring and worstcase lattice assumptions; previously, such schemes were only known under the CDH and RSA assumptions. Combined with existing work on secure multiparty computation, we obtain protocols for multiparty computation secure against a malicious adversary that may adaptively corrupt an arbitrary number of parties under weaker assumptions than were previously known. Specifically, we obtain the first adaptively secure multiparty protocols based on hardness of factoring in both the standalone setting and the UC setting with a common reference string. Key words: publickey encryption, adaptive corruption, noncommitting encryption, secure multiparty computation. 1
Random selection with an adversarial majority
 Advances in Cryptology—CRYPTO ‘06, number 4117 in Lecture Notes in Computer Science
, 2006
"... Abstract. We consider the problem of random selection, where p players follow a protocol to jointly select a random element of a universe of size n. However, some of the players may be adversarial and collude to force the output to lie in a small subset of the universe. We describe essentially the f ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. We consider the problem of random selection, where p players follow a protocol to jointly select a random element of a universe of size n. However, some of the players may be adversarial and collude to force the output to lie in a small subset of the universe. We describe essentially the first protocols that solve this problem in the presence of a dishonest majority in the fullinformation model (where the adversary is computationally unbounded and all communication is via nonsimultaneous broadcast). Our protocols are nearly optimal in several parameters, including the round complexity (as a function of n), the randomness complexity, the communication complexity, and the tradeoffs between the fraction of honest players, the probability that the output lies in a small subset of the universe, and the density of this subset. 1