## Strong Conditional Oblivious Transfer and Computing on Intervals (2004)

Venue: | IN ADVANCES IN CRYPTOLOGY - ASIACRYPT 2004 |

Citations: | 29 - 8 self |

### BibTeX

@INPROCEEDINGS{Blake04strongconditional,

author = {Ian F. Blake and Vladimir Kolesnikov},

title = {Strong Conditional Oblivious Transfer and Computing on Intervals},

booktitle = {IN ADVANCES IN CRYPTOLOGY - ASIACRYPT 2004},

year = {2004},

pages = {515--529},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

We consider the problem of securely computing the Greater Than (GT) predicate and its generalization -- securely determining membership in a union of intervals. We approach these problems from the point of view of Q-Conditional Oblivious Transfer (Q-COT), introduced by Di Crescenzo, Ostrovsky and Rajagopalan [4]. Q-COT is an oblivious transfer that occurs i# predicate Q evaluates to true on the parties' inputs. We are working in the semi-honest model with computationally unbounded receiver. In this paper

### Citations

631 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ... scheme is multiplicatively homomorphic, and Goldwasser-Micali [10] and Pail1 Correctness parameter specifies the allowed probability of error in the protocols.s518 I.F. Blake, and V. Kolesnikov lier =-=[18]-=- schemes are additively homomorphic. Unfortunately, it is not known whether there exists a scheme that is algebraically (i.e. both additively and multiplicatively) homomorphic. We note that an additiv... |

433 |
Multiparty Unconditionally Secure Protocols
- Chaum, Crépeau, et al.
- 1988
(Show Context)
Citation Context ...eceiver (Alice) is very appealing, both for oblivious transfer and general computations. Numerous papers consider unconditional security against one or more parties, in particular, the receiver, e.g. =-=[2, 3, 5, 11, 17]-=-. Practical one-round computation with unbounded first party (Alice) currently seems to be hard to achieve. The best known general approach [21] offers only polynomial efficiency and only for computin... |

380 | Privacy preserving data mining
- Lindell, Pinkas
(Show Context)
Citation Context ...or perform computations on, their joint database. Many interesting properties and computations, such as transaction classification or rule mining, involve evaluating a large number of instances of GT =-=[12, 14]-=-. Because of the large size of the databases, even a minor efficiency gain in computing GT results in significant performance improvements. P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 515–529, 2004... |

236 |
Founding cryptography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...unctionality fQ−SCOT (1) in the given model. We note that this general definition covers the case when Q is probabilistic. 2 Clearly, because secure multi-party computation can be based on OT (Kilian =-=[13]-=-), COT implies SCOT. This solution, however, is inefficient. 3 Of course, in some of the combinations it is not possible to have nontrivial secure SCOT protocols, such as when both parties are computa... |

205 | Efficient private matching and set intersection - Freedman, Nissim, et al. - 2004 |

185 | Privacy preserving auctions and mechanism design
- Naor, Pinkas, et al.
- 1999
(Show Context)
Citation Context ...eceiver (Alice) is very appealing, both for oblivious transfer and general computations. Numerous papers consider unconditional security against one or more parties, in particular, the receiver, e.g. =-=[2, 3, 5, 11, 17]-=-. Practical one-round computation with unbounded first party (Alice) currently seems to be hard to achieve. The best known general approach [21] offers only polynomial efficiency and only for computin... |

174 |
Foundations of Cryptography: Volume 2, Basic Applications, volume 2. Cambridge university press
- Goldreich
- 2009
(Show Context)
Citation Context ... Fischlin, Di Crescenzo et al., and ours in the Table in Sect. 4.2. 1.2 Definitions and Preliminaries We start by introducing the necessary terminology and notation, and refer the reader to Goldreich =-=[9]-=- for in-depth discussion. We are working in a setting with two semi-honest participants, who use randomness in their computation. By a two-party functionality we mean a possibly random process that ma... |

168 | Privacy-preserving distributed mining of association rules on horizontally partitioned data
- Kantarcioglu, Clifton
- 2002
(Show Context)
Citation Context ...or perform computations on, their joint database. Many interesting properties and computations, such as transaction classification or rule mining, involve evaluating a large number of instances of GT =-=[12, 14]-=-. Because of the large size of the databases, even a minor efficiency gain in computing GT results in significant performance improvements. P.J. Lee (Ed.): ASIACRYPT 2004, LNCS 3329, pp. 515–529, 2004... |

117 |
Probabilistic Encryption & How to Play Mental Poker Keeping Secret All Partial Information
- Goldwasser, Micali
- 1982
(Show Context)
Citation Context ...ditive scheme allows to compute E(x + y) from E(x) and E(y)). Many of the commonly used schemes are homomorphic. For example, the ElGamal scheme is multiplicatively homomorphic, and Goldwasser-Micali =-=[10]-=- and Pail1 Correctness parameter specifies the allowed probability of error in the protocols.s518 I.F. Blake, and V. Kolesnikov lier [18] schemes are additively homomorphic. Unfortunately, it is not k... |

92 | The round complexity of secure protocols
- Beaver, Micali, et al.
- 1990
(Show Context)
Citation Context ...f Q(x, y) =1. 3 The GT-SCOT Protocol Research specifically addressing the GT problem is quite extensive. It was considered (as a special case) in the context of general secure multi-party computation =-=[1, 15, 17, 20, 23, 22]-=-, whose solution is now well-known and celebrated. This general approach is impractical. However, because the circuit for computing GT is quite small, it is the best currently known one-round solution... |

71 | One-round secure computation and secure autonomous mobile agents
- Cachin, Camenisch, et al.
- 2000
(Show Context)
Citation Context ...eceiver (Alice) is very appealing, both for oblivious transfer and general computations. Numerous papers consider unconditional security against one or more parties, in particular, the receiver, e.g. =-=[2, 3, 5, 11, 17]-=-. Practical one-round computation with unbounded first party (Alice) currently seems to be hard to achieve. The best known general approach [21] offers only polynomial efficiency and only for computin... |

64 | B.: A Proof of Yao’s Protocol for Secure Two-Party Computation
- Lindell, Pinkas
(Show Context)
Citation Context ... known general approach [21] offers only polynomial efficiency and only for computing NC 1 circuits. At the same time, if Alice is bounded, we could use very efficient Yao’s garbled circuit approach (=-=[15, 17, 20, 22]-=-) at the cost linear with the size of the circuit. We solve the posed problems in the difficult setting (unbounded Alice), while achieving performance only slightly worse than the best known approach ... |

34 | A cost-effective pay-per-multiplication comparison method for millionaires
- Fischlin
- 2001
(Show Context)
Citation Context ...om a homomorphic encryption scheme. We exploit the structure of the GT predicate in a novel way to arrive at a solution that is more efficient and flexible than the best previously known (of Fischlin =-=[6]-=-) for our model with unbounded Alice. Additionally, our construction is the first to offer transfer of c-bit secrets, with c ≈ 1000 for practical applications, at no extra cost, with one invocation of... |

16 | Elliptic curve paillier schemes
- Galbraith
(Show Context)
Citation Context ...” our protocols with the original Paillier scheme. We remark that the Paillier scheme has received much attention in the literature recently, and several variants, including an elliptic curve version =-=[8]-=-, have appeared. Using more efficient implementations may further improve our results. Let (Gen, Enc, Dec) be the instance generation, encryption and decryption algorithms, respectively, of such a sch... |

8 | Conditional Oblivious Transfer and time released encryption, CRYPTO’99, LNCS 1592
- Crescenzo, Ostrovsky, et al.
- 1999
(Show Context)
Citation Context ...ly determining membership in a union of intervals. We approach these problems from the point of view of Q-Conditional Oblivious Transfer (Q-COT), introduced by Di Crescenzo, Ostrovsky and Rajagopalan =-=[4]-=-. Q-COT is an oblivious transfer that occurs iff predicate Q evaluates to true on the parties’ inputs. We are working in the semi-honest model with computationally unbounded receiver. In this paper, w... |

6 | Efficient commitment schemes with bounded sender and unbounded receiver
- Halevi
- 1999
(Show Context)
Citation Context |

4 |
Unconditionally secure authentication schemes and practical and theoretical consequences
- Desmedt
- 1986
(Show Context)
Citation Context |