## Non-Interactive CryptoComputing for NC1 (1999)

Venue: | In 40th Annual Symposium on Foundations of Computer Science |

Citations: | 71 - 0 self |

### BibTeX

@INPROCEEDINGS{Sander99non-interactivecryptocomputing,

author = {Tomas Sander and Adam Young and Moti Yung},

title = {Non-Interactive CryptoComputing for NC1},

booktitle = {In 40th Annual Symposium on Foundations of Computer Science},

year = {1999},

pages = {554--567},

publisher = {IEEE}

}

### Years of Citing Articles

### OpenURL

### Abstract

The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic two-party case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomialtime for NC

### Citations

1341 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...s assumed not in BPP, seem to require interaction based on our beliefs regarding computational complexity conjectures [24], (unless the random oracle model is assumed as a practical heuristics, as in =-=[16, 5]-=-). 5.3 On computing with encrypted functions The concept of mobility of executable code in networks is one of the exciting new developments. Examples are mobile code (e.g. Java applets), mobile agent ... |

1184 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...nd copying strings which can be easily done by moving the encrypted data, and (3) adding (and negating, which is actually adding a 1), which requires addition (exclusive-or) under the encryption (the =-=[21]-=- scheme does it, but we will get rid of this operation). Additionally, the bits at the input are distributed randomly in the correct representation. While looking ahead to computing with encrypted dat... |

1046 | The knowledge complexity of interactive proof systems - Goldwasser, Micali, et al. - 1989 |

837 | How to prove yourself : practical solutions to identification and signature problems
- Fiat, Shamir
(Show Context)
Citation Context ...s assumed not in BPP, seem to require interaction based on our beliefs regarding computational complexity conjectures [24], (unless the random oracle model is assumed as a practical heuristics, as in =-=[16, 5]-=-). 5.3 On computing with encrypted functions The concept of mobility of executable code in networks is one of the exciting new developments. Examples are mobile code (e.g. Java applets), mobile agent ... |

677 |
Completeness Theorems for NonCryptographic Fault-Tolerant Distributed Computation
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...l upon which secure circuit evaluation can be constructed [27]. Multi-party computations in the information theoretic model were given by Ben-Or, Goldwasser, Wigderson and Chaum, Crepeau and Damgaard =-=[7, 10]. Var-=-ious elegant results have been developed in this area (see [18] and a recent survey [23]). Considerable effort has been undertaken in the last few years to make these general protocols "more prac... |

631 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ...groups of smooth order. The RSA scheme is homomorphic over the multiplicative group (Z=NZ) \Theta for an RSA modulussN . In particular all these schemes are homomorphic in (Abelian) groups. Recently, =-=[31, 33]-=- introduced homomorphic encryption schemes over different groups. Given the above and the natural connection to cryptocomputing, an interesting area for research is looking into which algebraic struct... |

562 |
How to Generate and Exchange Secrets
- Yao
- 1986
(Show Context)
Citation Context ...hat Alice learns nothing about y and such that Bob learns nothing about x. In fact, the mechanisms developed in this work allows for such scenarios. Secure circuit evaluationhas been introduced byYao =-=[38]-=- and Goldreich, Micali, and Wigderson [25] based on cryptographic assumptions; other results followed in [19, 26]. Kilian, then, characterized Oblivious Transfer (O.T.) as a basic tool upon which secu... |

438 |
How to Play Any Mental Game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...that Bob learns nothing about x. In fact, the mechanisms developed in this work allows for such scenarios. Secure circuit evaluationhas been introduced byYao [38] and Goldreich, Micali, and Wigderson =-=[25]-=- based on cryptographic assumptions; other results followed in [19, 26]. Kilian, then, characterized Oblivious Transfer (O.T.) as a basic tool upon which secure circuit evaluation can be constructed [... |

433 |
Multiparty Unconditionally Secure Protocols
- Chaum, CrÃ©peau, et al.
- 1988
(Show Context)
Citation Context ...l upon which secure circuit evaluation can be constructed [27]. Multi-party computations in the information theoretic model were given by Ben-Or, Goldwasser, Wigderson and Chaum, Crepeau and Damgaard =-=[7, 10]. Var-=-ious elegant results have been developed in this area (see [18] and a recent survey [23]). Considerable effort has been undertaken in the last few years to make these general protocols "more prac... |

192 | On the Composition of Zero Knowledge Proof Systems
- Goldreich, Krawczyk
- 1990
(Show Context)
Citation Context ...ndom string, proofs which assure robustness on encrypted values whose decryption is assumed not in BPP, seem to require interaction based on our beliefs regarding computational complexity conjectures =-=[24]-=-, (unless the random oracle model is assumed as a practical heuristics, as in [16, 5]). 5.3 On computing with encrypted functions The concept of mobility of executable code in networks is one of the e... |

190 | Noninteractive Zero-Knowledge
- Blum, Santis, et al.
- 1991
(Show Context)
Citation Context ...licious way trying to gain further information and violate the protocol. To prevent this we can take extra measures. ffl Alice may prove (e.g. using non-interactive zeroknowledge proof of Blum et al. =-=[8]-=-) that its public key is a valid one (to prevent obvious possible attacks by wrong choices). We assume as in the model of [8] that a trusted random string is made initially available to the parties. f... |

159 | A New Public-Key Cryptosystem as Secure as Factoring
- Okamoto, Uchiyama
(Show Context)
Citation Context ...groups of smooth order. The RSA scheme is homomorphic over the multiplicative group (Z=NZ) \Theta for an RSA modulussN . In particular all these schemes are homomorphic in (Abelian) groups. Recently, =-=[31, 33]-=- introduced homomorphic encryption schemes over different groups. Given the above and the natural connection to cryptocomputing, an interesting area for research is looking into which algebraic struct... |

149 | Number-theoretic constructions of efficient pseudorandom functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...M , one chooses a random r(modQ) and computes the ciphertextsfG r ; Y r \Theta M (modP )g. The semantic security of the scheme was shown to be equivalent to the Decision DiffieHellman assumption (see =-=[36, 30]-=-). The representation of zero and one is done by two fixed public quadratic residues M 0 ; M 1 . On input fG r ; Y r \ThetaM ( mod P )g = fZ 1 ; Z 2 g the algorithm SELF-RAND picks s 2R (Z=QZ) and out... |

143 | Itinerant Agents for Mobile Computing
- CHESS, B, et al.
- 1995
(Show Context)
Citation Context ...ing attacks and (reasonable) guarantees for the integrity of the agent's execution as a protection against tampering. Code privacy had been believed by practitioners to be impossible to achieve (e.g. =-=[11]-=-). This belief was supported by the argument that the code is at the full mercy of the host which may reverse engineer and analyze the code at its will. A first step in showing this to be wrong was ta... |

115 |
Non-Cryptographic Fault-Tolerant Computing
- Bar-Ilan, Beaver
- 1989
(Show Context)
Citation Context ... employing basic new techniques, our method improves on previous results: Solutions which reduced interaction in multi-party secure circuit evaluation in the information theoretic model were shown in =-=[2]-=- for NC 1 circuits, whereas for computational security [4] showed how any polynomial size circuit can be evaluated in a constant number of communication rounds. We note that another model for secure c... |

115 |
Moni Naor. Non-Malleable Cryptography
- Dolev, Dwork
- 1991
(Show Context)
Citation Context ...and that is why we only get a solution for log-depth circuits. We leave open the problem of extending further general algebraic homomorphic schemes, and enabling circuits of increased depth. Recently =-=[13], a scheme whic-=-h enables "computing with encrypted data" over a complete base (which includes logical NOT, OR, and AND) has been referred to as "completely 1 Boneh and Lipton [9] showed that determini... |

114 |
On data banks and privacy homomorphisms
- Rivest, Adleman, et al.
- 1978
(Show Context)
Citation Context ...ficient algorithms that allow one to compute E(xy) and E(x + y) from E(x) and E(y) without revealing x and y. The existence of these schemes has been left open. In 1978 Rivest, Adleman, and Dertouzos =-=[34]-=- suggested investigating encryption schemes with additional homomorphic properties since they allow one to compute with encrypted data. In 1991 Feigenbaum and Merritt [15] questioned directly for alge... |

112 |
Secure multi-party computation. Working Draft
- Goldreich
- 2000
(Show Context)
Citation Context ...information theoretic model were given by Ben-Or, Goldwasser, Wigderson and Chaum, Crepeau and Damgaard [7, 10]. Various elegant results have been developed in this area (see [18] and a recent survey =-=[23]). Conside-=-rable effort has been undertaken in the last few years to make these general protocols "more practical" for interesting instances and to understand their basic computational requirements. Ab... |

100 | Towards mobile cryptography
- Sander, Tschudin
- 1998
(Show Context)
Citation Context ...e engineer and analyze the code at its will. A first step in showing this to be wrong was taken when the idea of "computing with encrypted functions (CEF)" for mobile code protection was sug=-=gested in [35]-=-. The idea is to transform a program into an encrypted but still executable form; it was shown that this can be provably achieved for programs that evaluate certain classes of polynomials. Using our r... |

92 | The round complexity of secure protocols
- Beaver, Micali, et al.
- 1990
(Show Context)
Citation Context ...evious results: Solutions which reduced interaction in multi-party secure circuit evaluation in the information theoretic model were shown in [2] for NC 1 circuits, whereas for computational security =-=[4] showed ho-=-w any polynomial size circuit can be evaluated in a constant number of communication rounds. We note that another model for secure computation has recently been studied that has "few rounds"... |

74 |
Algorithms for black-box fields and their application to cryptography (extended abstract
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...ased depth. Recently [13], a scheme which enables "computing with encrypted data" over a complete base (which includes logical NOT, OR, and AND) has been referred to as "completely 1 Bo=-=neh and Lipton [9]-=- showed that deterministic algebraically homomorphic encryption schemes over rings Z=NZ can be broken in subexponential time under a (reasonable) number theoretic assumption. In their argument it is e... |

67 | A New Public-Key Cryptosystem Based on Higher Residues
- Naccache, Stern
(Show Context)
Citation Context ...it is surprising that only a few algebraic structures have been identified so far for which there are homomorphic encryption schemes. The Goldwasser-Micali scheme and the Benaloh scheme [6] (see also =-=[29]-=-) give us via Chinese Remaindering homomorphic schemes using Abelian groups of smooth order. The RSA scheme is homomorphic over the multiplicative group (Z=NZ) \Theta for an RSA modulussN . In particu... |

60 |
Zero-knowledge proofs of knowledge without interaction
- Santis, Persiano
- 1992
(Show Context)
Citation Context ...sking to compute outputs on the allowed three inputs only (the two known ones and the new one to which she is committed to), the parties may employ a non-interactive zero-knowledge proof of knowledge =-=[12]-=-. This will assure that no information is leaked to Alice beyond the required output value. It will further assure correct simulation of the output answers. We note that without assuming the trusted r... |

55 |
Dense Probabilistic Encryption
- Benaloh
- 1994
(Show Context)
Citation Context ...ations. Thus, it is surprising that only a few algebraic structures have been identified so far for which there are homomorphic encryption schemes. The Goldwasser-Micali scheme and the Benaloh scheme =-=[6]-=- (see also [29]) give us via Chinese Remaindering homomorphic schemes using Abelian groups of smooth order. The RSA scheme is homomorphic over the multiplicative group (Z=NZ) \Theta for an RSA modulus... |

40 | How to solve any protocol problem - an efficiency improvement
- Goldreich, Vainish
- 1987
(Show Context)
Citation Context ...in this work allows for such scenarios. Secure circuit evaluationhas been introduced byYao [38] and Goldreich, Micali, and Wigderson [25] based on cryptographic assumptions; other results followed in =-=[19, 26]-=-. Kilian, then, characterized Oblivious Transfer (O.T.) as a basic tool upon which secure circuit evaluation can be constructed [27]. Multi-party computations in the information theoretic model were g... |

39 | A minimal model for secure computation
- Feige, Kilian, et al.
- 1994
(Show Context)
Citation Context ... polynomial size circuit can be evaluated in a constant number of communication rounds. We note that another model for secure computation has recently been studied that has "few rounds". Fei=-=ge et al. [14]-=- added a trusted third party Carol to the two party model. Suppose Alice and Bob have inputs x and y. In this model, Carol should learn f(x; y) for a known functionf but should not learn anything abou... |

39 |
Uses of Randomness in Algorithms and Protocols
- Kilian
- 1990
(Show Context)
Citation Context ...] based on cryptographic assumptions; other results followed in [19, 26]. Kilian, then, characterized Oblivious Transfer (O.T.) as a basic tool upon which secure circuit evaluation can be constructed =-=[27]-=-. Multi-party computations in the information theoretic model were given by Ben-Or, Goldwasser, Wigderson and Chaum, Crepeau and Damgaard [7, 10]. Various elegant results have been developed in this a... |

38 | Secure circuit evaluation: A protocol based on hiding information from an oracle
- Abadi, Feigenbaum
- 1990
(Show Context)
Citation Context ...ort has been undertaken in the last few years to make these general protocols "more practical" for interesting instances and to understand their basic computational requirements. Abadi and F=-=eigenbaum [1]-=-, for example, gave a simple protocol for secure circuit evaluation in which Alice helps Bob to evaluate each AND gate of his circuit C. An important aspect, from a practical and theoretical points of... |

25 |
On the security of Elgamal-based encryption
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context ...n (QRA) [21] this scheme is secure. The trapdoor information is the factorization of N , the size of N is the security parameter. A second example is a variant of El-Gamal encryption over a sub-group =-=[36]-=-. Such a case is when P = 2Q + 1 both P; Q are primes (the size of P is the security parameter) . Let G be a generator of Z=QZ (of the quadratic residues in (Z=PZ) \Theta ). Let the message space be t... |

19 | Complexity and Security of Distributed Protocols
- Franklin
- 1993
(Show Context)
Citation Context ...arty computations in the information theoretic model were given by Ben-Or, Goldwasser, Wigderson and Chaum, Crepeau and Damgaard [7, 10]. Various elegant results have been developed in this area (see =-=[18] and a rec-=-ent survey [23]). Considerable effort has been undertaken in the last few years to make these general protocols "more practical" for interesting instances and to understand their basic compu... |

17 | Open questions, talk abstracts, and summary of discussions
- Feigenbaum, Merritt
- 1991
(Show Context)
Citation Context ...vest, Adleman, and Dertouzos [34] suggested investigating encryption schemes with additional homomorphic properties since they allow one to compute with encrypted data. In 1991 Feigenbaum and Merritt =-=[15]-=- questioned directly for algebraic homomorphic schemes [15] in the form stated above. The most interesting case is an algebraic homomorphic encryption scheme over Z=2Z. Such a scheme would allow one t... |

10 |
Witness Based Cryptographic Program Checking and Robust Function Sharing
- Frankel, Gemmell, et al.
(Show Context)
Citation Context ...ions from the encrypted inputs, Bob will have to evaluate the circuits correctly since otherwise he will be caught w.v.h.p. (The above is an example of witness based robustness that was introduced in =-=[17]-=-.) This forces him to compute correctly. (We assumed that having two input/output pairs is acceptable in this case, also we assumed that there are two outputs which are different). In case we evaluate... |

2 | On necessary conditions for secure distributed computing
- Ostrovsky, Yung
- 1990
(Show Context)
Citation Context ... is that interaction is not needed (namely: the scenario which resembles "computing with encrypted data" is possible). Since our solution can implement O.T., it is optimal in its communicati=-=on rounds [32]-=-. While employing basic new techniques, our method improves on previous results: Solutions which reduced interaction in multi-party secure circuit evaluation in the information theoretic model were sh... |

1 | Minimum-interactive proofs for decision problems - Galil, Haber, et al. - 1989 |