Results 1  10
of
91
Privacypreserving set operations
 in Advances in Cryptology  CRYPTO 2005, LNCS
, 2005
"... In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacypreserving computation; that is, no part ..."
Abstract

Cited by 100 (0 self)
 Add to MetaCart
In many important applications, a collection of mutually distrustful parties must perform private computation over multisets. Each party’s input to the function is his private input multiset. In order to protect these private sets, the players perform privacypreserving computation; that is, no party learns more information about other parties ’ private input sets than what can be deduced from the result. In this paper, we propose efficient techniques for privacypreserving operations on multisets. By employing the mathematical properties of polynomials, we build a framework of efficient, secure, and composable multiset operations: the union, intersection, and element reduction operations. We apply these techniques to a wide range of practical problems, achieving more efficient results than those of previous work.
Private Circuits: Securing Hardware against Probing Attacks
 In Proceedings of CRYPTO 2003
, 2003
"... Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an a ..."
Abstract

Cited by 70 (3 self)
 Add to MetaCart
Abstract. Can you guarantee secrecy even if an adversary can eavesdrop on your brain? We consider the problem of protecting privacy in circuits, when faced with an adversary that can access a bounded number of wires in the circuit. This question is motivated by side channel attacks, which allow an adversary to gain partial access to the inner workings of hardware. Recent work has shown that side channel attacks pose a serious threat to cryptosystems implemented in embedded devices. In this paper, we develop theoretical foundations for security against side channels. In particular, we propose several efficient techniques for building private circuits resisting this type of attacks. We initiate a systematic study of the complexity of such private circuits, and in contrast to most prior work in this area provide a formal threat model and give proofs of security for our constructions.
Efficient Multiparty Computations Secure Against an Adaptive Adversary
, 1999
"... We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the securechannels model, where a broadcast channel is given and a nonzero error probability is allowed. In this model Rabin and BenOr proposed VSS and MPC protocols secure against an adversary that can corrupt a ..."
Abstract

Cited by 67 (17 self)
 Add to MetaCart
We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the securechannels model, where a broadcast channel is given and a nonzero error probability is allowed. In this model Rabin and BenOr proposed VSS and MPC protocols secure against an adversary that can corrupt any minority of the players. In this paper, we first observe that a subprotocol of theirs, known as weak secret sharing (WSS), is not secure against an adaptive adversary, contrary to what was believed earlier. We then propose new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones. Our protocols generalize easily to provide security against general Q²adversaries.
Distributing Trust on the Internet
 in Proc. International Conference on Dependable Systems and Networks (DSN2001
, 2000
"... This paper describes an architecture for secure and faulttolerant service replication in an asynchronous network such as the Internet, where a malicious adversary may corrupt some servers and control the network. It relies on recent protocols for randomized Byzantine agreement and for atomic broadc ..."
Abstract

Cited by 35 (7 self)
 Add to MetaCart
This paper describes an architecture for secure and faulttolerant service replication in an asynchronous network such as the Internet, where a malicious adversary may corrupt some servers and control the network. It relies on recent protocols for randomized Byzantine agreement and for atomic broadcast, which exploit concepts from threshold cryptography. The model and its assumptions are discussed in detail and compared to related work from the last decade in the first part of this work, and an overview of the broadcast protocols in the architecture is provided. The standard approach in faulttolerant distributed systems is to assume that at most a certain fraction of servers fails. In the second part, novel general failure patterns and corresponding protocols are introduced. They allow for realistic modeling of realworld trust assumptions, beyond (weighted) threshold models. Finally, it is discussed how three different applications can be realized using such an architecture: ...
Distributed PseudoRandom Functions and KDCs
 ADVANCES IN CRYPTOLOGY: EUROCRYPT '99, VOLUME 1592 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorize ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorized subset and receive information which enables him to compute f(x). We require that such a scheme is consistent, i.e. that given an input x all authorized subsets compute the same value f(x). The solutions we present enable the operation of many servers, preventing bottlenecks or single points of failure. There are also no single entities which can compromise the security of the entire network. The solutions can be used to distribute the operation of a Key Distribution Center (KDC). They are far better than the known partitioning to domains or replication solutions to this problem, and are especially suited to handle users of multicast groups.
Efficient Secure MultiParty Computation
, 2000
"... ) Martin Hirt 1 , Ueli Maurer 1 , and Bartosz Przydatek 2?? 1 ETH Zurich, Switzerland, fhirt,maurerg@inf.ethz.ch 2 Carnegie Mellon University, USA, bartosz@cs.cmu.edu Asiacrypt 2000 Abstract. Since the introduction of secure multiparty computation, all proposed protocols that provide s ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
) Martin Hirt 1 , Ueli Maurer 1 , and Bartosz Przydatek 2?? 1 ETH Zurich, Switzerland, fhirt,maurerg@inf.ethz.ch 2 Carnegie Mellon University, USA, bartosz@cs.cmu.edu Asiacrypt 2000 Abstract. Since the introduction of secure multiparty computation, all proposed protocols that provide security against cheating players suer from very high communication complexities. The most ecient unconditionally secure protocols among n players, tolerating cheating by up to t < n=3 of them, require communicating O(n 6 ) eld elements for each multiplication of two elements, even if only one player cheats. In this paper, we propose a perfectly secure multiparty protocol which requires communicating O(n 3 ) eld elements per multiplication. In this protocol, the number of invocations of the broadcast primitive is independent of the size of the circuit to be computed. The proposed techniques are generic and apply to other protocols for robust distributed computations. Furthe...
Parallel Reducibility for InformationTheoretically Secure Computation
 In Proc. of Crypto, SpringerVerlag (LNCS 1880
, 2000
"... Abstract. Secure Function Evaluation (SFE) protocols are very hard to design, and reducibility has been recognized as a highly desirable property of SFE protocols. Informally speaking, reducibility (sometimes called modular composition) is the automatic ability to break up the design of complex SFE ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
Abstract. Secure Function Evaluation (SFE) protocols are very hard to design, and reducibility has been recognized as a highly desirable property of SFE protocols. Informally speaking, reducibility (sometimes called modular composition) is the automatic ability to break up the design of complex SFE protocols into several simpler, individually secure components. Despite much effort, only the most basic type of reducibility, sequential reducibility (where only a single subprotocol can be run at a time), has been considered and proven to hold for a specific class of SFE protocols. Unfortunately, sequential reducibility does not allow one to save on the number of rounds (often the most expensive resource in a distributed setting), and achieving more general notions is not easy (indeed, certain SFE notions provably enjoy sequential reducibility, but fail to enjoy more general ones). In this paper, for informationtheoretic SFE protocols, we • Formalize the notion of parallel reducibility, where subprotocols can be run at the same time; • Clarify that there are two distinct forms of parallel reducibility: ⋆ Concurrent reducibility, which applies when the order of the subprotocol calls is not important (and which reduces the round complexity dramatically as compared to sequential reducibility); and ⋆ Synchronous reducibility, which applies when the subprotocols must be executed simultaneously (and which allows modular design in settings where sequential reducibility does not even apply). • Show that a large class of SFE protocols (i.e., those satisfying a slight modification of the original definition of Micali and Rogaway [15]) provably enjoy (both forms of) parallel reducibility. 1
The Round Complexity of Verifiable Secret Sharing and Secure Multicast
, 2001
"... The round complexity of interactive protocols is one of their most important complexity measures. In this work we study the exact round complexity of two basic secure computation tasks: Verifiable Secret Sharing (VSS) and Secure Multicast. VSS allows a dealer to share a secret among several players ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
The round complexity of interactive protocols is one of their most important complexity measures. In this work we study the exact round complexity of two basic secure computation tasks: Verifiable Secret Sharing (VSS) and Secure Multicast. VSS allows a dealer to share a secret among several players in a way that would later allow a unique reconstruction of the secret. It is a wellstudied primitive, which is used as a building block in virtually every general protocol for secure multiparty computation. Secure multicast is perhaps the simplest nontrivial instance of a secure computation. It allows a dealer to securely distribute an identical message to all players in a prescribed subset M . Both types of protocols are parameterized by the number of players, n, and a security threshold, t, which bounds the total number of malicious players (possibly including the dealer).
Optimal BlackBox Secret Sharing over Arbitrary Abelian Groups
 In Proc. of CRYPTO '02, LNCS 2442
, 2002
"... Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vector ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the blackbox secret sharing problem as the problem of devising, for an arbitrary given Tt,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multiparty computation over blackbox rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the blackbox secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given Tt,n with 0 < t < n − 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with coprime determinants, we construct, for arbitrary given Tt,n with 0 < t < n − 1, a blackbox secret sharing scheme with expansion factor O(log n), which we show is minimal. 1
Secure MultiParty Computation Made Simple
 IN COMMUNICATION NETWORKS
, 2002
"... A simple approach to secure multiparty computation is presented. Unlike ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
A simple approach to secure multiparty computation is presented. Unlike