Results 1  10
of
16
NonInteractive CryptoComputing for NC1
 In 40th Annual Symposium on Foundations of Computer Science
, 1999
"... The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the ..."
Abstract

Cited by 70 (0 self)
 Add to MetaCart
The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic twoparty case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC
Complete characterization of adversaries tolerable in secure multiparty computation
 Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC
, 1997
"... Abstract The classical results in unconditional multiparty computation among a set of n players state that less than n=2 passive or less than n=3 active adversaries can be tolerated; assuming a broadcast channel the threshold for active adversaries is n=2. Strictly generalizing these results we spe ..."
Abstract

Cited by 64 (11 self)
 Add to MetaCart
Abstract The classical results in unconditional multiparty computation among a set of n players state that less than n=2 passive or less than n=3 active adversaries can be tolerated; assuming a broadcast channel the threshold for active adversaries is n=2. Strictly generalizing these results we specify the set of potentially misbehaving players as an arbitrary set of subsets of the player set. We prove the necessary and sufficient conditions for the existence of secure multiparty protocols in terms of the potentially misbehaving player sets. For every function there exists a protocol secure against a set of potential passive collusions if and only if no two of these collusions add up to the full player set. The same condition applies for active adversaries when assuming a broadcast channel. Without broadcast channels, for every function there exists a protocol secure against a set of potential active adverse player sets if and only if no three of these sets add up to the full player set. The complexities of the protocols not using a broadcast channel are polynomial, that of the protocol with broadcast is only slightly higher.
Strengthening Integrality Gaps for Capacitated Network Design and Covering Problems
"... A capacitated covering IP is an integer program of the form min{cxUx ≥ d, 0 ≤ x ≤ b, x ∈ Z +}, where all entries of c, U, and d are nonnegative. Given such a formulation, the ratio between the optimal integer solution and the optimal solution to the linear program relaxation can be as bad as d∞ ..."
Abstract

Cited by 61 (1 self)
 Add to MetaCart
A capacitated covering IP is an integer program of the form min{cxUx ≥ d, 0 ≤ x ≤ b, x ∈ Z +}, where all entries of c, U, and d are nonnegative. Given such a formulation, the ratio between the optimal integer solution and the optimal solution to the linear program relaxation can be as bad as d∞, even when U consists of a single row. We show that by adding additional inequalities, this ratio can be improved significantly. In the general case, we show that the improved ratio is bounded by the maximum number of nonzero coefficients in a row of U, and provide a polynomialtime approximation algorithm to achieve this bound. This improves the previous best approximation algorithm which guaranteed a solution within the maximum row sum times optimum. We also show that for particular instances of capacitated covering problems, including the minimum knapsack problem and the capacitated network design problem, these additional inequalities yield even stronger improvements in the IP/LP ratio. For the minimum knapsack, we show that this improved ratio is at most 2. This is the first nontrivial IP/LP ratio for this basic problem. Capacitated network design generalizes the classical network design problem by introducing capacities on the edges, whereas previous work only considers the case when all capacities equal 1. For capacitated network design problems, we show that this improved ratio depends on a parameter of the graph, and we also provide polynomialtime approximation algorithms to match this bound. This improves on the best previous mapproximation, where m is the number of edges in the graph. We also discuss improvements for some other special capacitated covering problems, including the fixed charge network flow problem. Finally, for the capacitated network design problem, we give some stronger results and algorithms for series parallel graphs and strengthen these further for outerplanar graphs. Most of our approximation algorithms rely on solving a single LP. When the original LP (before adding our strengthening inequalities) has a polynomial number of constraints, we describe a combinatorial FPTAS for the LP with our (exponentiallymany) inequalities added. Our contribution here is to describe an appropriate
Committed Oblivious Transfer and Private MultiParty Computation
, 1995
"... . In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b ..."
Abstract

Cited by 50 (10 self)
 Add to MetaCart
. In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b . Our protocol, based on the properties of error correcting codes, uses Bit Commitment (bc) and oneoutoftwo Oblivious Transfer (ot) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of bc and ot used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private MultiParty Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of bcs and ots performed. Our approach connects Zero Knowledge proofs on bcs, Oblivious Circuit Evaluation and Private MultiParty ...
Complete fairness in secure twoparty computation
 In Proceedings of the 40th Annual ACM Symposium on Theory of Computing
, 2008
"... In the setting of secure twoparty computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness, which guarantees that if ei ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
In the setting of secure twoparty computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness, which guarantees that if either party receives its output, then the other party does too. Cleve (STOC 1986) showed that complete fairness cannot be achieved in general in the twoparty setting; specifically, he showed (essentially) that it is impossible to compute Boolean XOR with complete fairness. Since his work, the accepted folklore has been that nothing nontrivial can be computed with complete fairness, and the question of complete fairness in secure twoparty computation has been treated as closed since the late ’80s. In this paper, we demonstrate that this widely held folklore belief is false by showing completelyfair secure protocols for various nontrivial twoparty functions including Boolean AND/OR as well as Yao’s “millionaires ’ problem”. Surprisingly, we show that it is even possible to construct completelyfair protocols for certain functions containing an “embedded XOR”, although in this case we also prove a lower bound showing that a superlogarithmic number of rounds are necessary. Our results demonstrate that the question of completelyfair secure computation without an honest majority is far from closed.
Trading correctness for privacy in unconditional multiparty computation
 In Advances in Cryptology  CRYPTO '98, volume 1462 of Lecture Notes in Computer Science
, 1998
"... Abstract. This paper improves on the classical results in unconditionally secure multiparty computation among a set of n players, by considering a model with three simultaneously occurring types of player corruption: the adversary can actively corrupt (i.e. take full control over) up to ta players ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
Abstract. This paper improves on the classical results in unconditionally secure multiparty computation among a set of n players, by considering a model with three simultaneously occurring types of player corruption: the adversary can actively corrupt (i.e. take full control over) up to ta players and, additionally, can passively corrupt (i.e. read the entire information of) up to tp players and failcorrupt (i.e. stop the computation of) up to tf other players. The classical results in multiparty computation are for the special cases of only passive (ta = tf =0)or only active (tp = tf = 0) corruption. In the passive case, every function can be computed securely if and only if tp <n/2.Intheactivecase, every function can be computed securely if and only if ta <n/3; when a broadcast channel is available, then this bound is ta <n/2. These bounds are tight. Strictly improving these results, one of our results states that, in addition to tolerating ta <n/3 actively corrupted players, privacy can be
On Securely Scheduling A Meeting
 In Proc. of IFIP SEC
, 2001
"... When people want to schedule a meeting, their agendas must be compared to find a time suitable for all participants. At the same time, people want to keep their agendas private. This paper presents several approaches which intend to solve this contradiction. A custommade protocol for secure meeting ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
When people want to schedule a meeting, their agendas must be compared to find a time suitable for all participants. At the same time, people want to keep their agendas private. This paper presents several approaches which intend to solve this contradiction. A custommade protocol for secure meeting scheduling and a protocol based on secure distributed computing are discussed. The security properties and complexity of these protocols are compared. A tradeoff between trust and bandwidth requirements is shown to be possible by implementing the protocols using mobile agents. Keywords: mobile agents, secure distributed computation, meeting scheduling 1.
Partial Fairness in Secure TwoParty Computation
, 2008
"... A seminal result of Cleve (STOC ’86) is that, in general, complete fairness is impossible to achieve in twoparty computation. In light of this, various techniques for obtaining partial fairness have been suggested in the literature. We propose a definition of partial fairness within the standard re ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
A seminal result of Cleve (STOC ’86) is that, in general, complete fairness is impossible to achieve in twoparty computation. In light of this, various techniques for obtaining partial fairness have been suggested in the literature. We propose a definition of partial fairness within the standard real/idealworld paradigm that addresses deficiencies of prior definitions. also show broad feasibility results with respect to our definition: partial fairness is possible for any (randomized) functionality f: X × Y → Z 1 × Z 2 at least one of whose domains or ranges is polynomial in size. Our protocols are always private, and when one of the domains has polynomial size our protocols also simultaneously achieve the usual notion of security with abort. In contrast to some prior work, we rely on standard assumptions only. We also show that, as far as general feasibility is concerned, our results are optimal. Specifically, there exist functions with superpolynomial domains and ranges for which it is impossible to achieve our definition.