Results 1  10
of
23
Secure Multiparty Computations on Bitcoin
"... Bitcoin is a decentralized digital currency, introduced in 2008, that has recently gained noticeable popularity. Its main features are: (a) it lacks a central authority that controls the transactions, (b) the list of transactions is publicly available, and (c) its syntax allows more advanced transac ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
(Show Context)
Bitcoin is a decentralized digital currency, introduced in 2008, that has recently gained noticeable popularity. Its main features are: (a) it lacks a central authority that controls the transactions, (b) the list of transactions is publicly available, and (c) its syntax allows more advanced transactions than simply transferring the money. The goal of this paper is to show how these properties of Bitcoin can be used in the area of secure multiparty computation protocols (MPCs). Firstly, we show that the Bitcoin system provides an attractive way to construct a version of “timed commitments”, where the committer has to reveal his secret within a certain time frame, or to pay a fine. This, in turn, can be used to obtain fairness in some multiparty protocols. Secondly, we introduce a concept of multiparty protocols that work “directly on Bitcoin”. Recall that the standard definition of the MPCs guarantees only that the protocol “emulates the trusted third party”. Hence ensuring that the inputs are correct, and the outcome is respected is beyond the scope of the definition. Our observation is that the Bitcoin system can be used to go beyond the standard “emulationbased ” definition, by constructing protocols that link their inputs and the outputs with the real Bitcoin transactions. As an instantiation of this idea we construct protocols for secure multiparty lotteries using the Bitcoin currency, without relying on a trusted authority (one of these protocols uses the Bitcoinbased timed commitments mentioned above). Our protocols guarantee fairness for the honest parties no matter how the loser behaves. For example: if one party interrupts the protocol then her money is transferred to the honest participants. Our protocols are practical (to demonstrate it we performed their transactions in the actual Bitcoin system), and can be used in real life as a replacement for the online gambling sites. We think that this paradigm can have also other applications. We discuss some of them.
Estimating Key Sizes For High Dimensional Lattice Based Systems
"... Abstract. We revisit the estimation of parameters for use in applications of the BGV homomorphic encryption system, which generally require high dimensional lattices. In particular, we utilize the BKZ2.0 simulator of Chen and Nguyen to identify the best lattice attack that can be mounted using BKZ ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We revisit the estimation of parameters for use in applications of the BGV homomorphic encryption system, which generally require high dimensional lattices. In particular, we utilize the BKZ2.0 simulator of Chen and Nguyen to identify the best lattice attack that can be mounted using BKZ in a given dimension at a given security level. Using this technique, we show that it should be possible to work with lattices of smaller dimensions than previous methods have recommended, while still maintaining reasonable levels of security. As example applications we look at the evaluation of AES via FHE operations presented at Crypto 2012, and the parameters for the SHE variant of BGV used in the SPDZ protocol from Crypto 2012. 1
I.: Publicly auditable secure multiparty computation
 SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge. In: CRYPTO 2013
, 2013
"... Abstract. In the last few years the efficiency of secure multiparty computation (MPC) increased in several orders of magnitudes. However, this alone might not be enough if we want MPC protocols to be used in practice. A crucial property that is needed in many applications is that everyone can check ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In the last few years the efficiency of secure multiparty computation (MPC) increased in several orders of magnitudes. However, this alone might not be enough if we want MPC protocols to be used in practice. A crucial property that is needed in many applications is that everyone can check that a given (secure) computation was performed correctly – even in the extreme case where all the parties involved in the computation are corrupted, and even if the party who wants to verify the result was not participating. This is especially relevant in the clientsservers setting, where many clients provide input to a secure computation performed by a few servers. An obvious example of this is electronic voting, but also in many types of auctions one may want independent verification of the result. Traditionally, this is achieved by using noninteractive zeroknowledge proofs during the computation. A recent trend in MPC protocols is to have a more expensive preprocessing phase followed by a very efficient online phase, e.g., the recent socalled SPDZ protocol by Damg̊ard et al. Applications such as voting and some auctions are perfect usecase for these protocols, as the parties usually know well in advance when the computation will take place, and using those protocols allows us to use only cheap informationtheoretic primitives in the actual computation. Unfortunately no protocol of the SPDZ type supports an audit phase.
Dishonest Majority MultiParty Computation for Binary Circuits
"... Abstract. We extend the TinyOT two party protocol of Nielsen et al (CRYPTO 2012) to the case of n parties in the dishonest majority setting. This is done by presenting a novel way of transferring pairwise authentications into global authentications. As a by product we obtain a more efficient manner ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. We extend the TinyOT two party protocol of Nielsen et al (CRYPTO 2012) to the case of n parties in the dishonest majority setting. This is done by presenting a novel way of transferring pairwise authentications into global authentications. As a by product we obtain a more efficient manner of producing globally authenticated shares, in the random oracle model, which in turn leads to a more efficient two party protocol than that of Nielsen et al. 1
An Empirical Study and some Improvements of the MiniMac Protocol for Secure Computation
"... Abstract. Recent developments in Multiparty Computation (MPC) has resulted in very efficient protocols for dishonest majority in the preprocessing model. In particular, two very promising protocols for Boolean circuits have been proposed by Nielsen et al. (nicknamed TinyOT) and by Damg̊ard and Zak ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Recent developments in Multiparty Computation (MPC) has resulted in very efficient protocols for dishonest majority in the preprocessing model. In particular, two very promising protocols for Boolean circuits have been proposed by Nielsen et al. (nicknamed TinyOT) and by Damg̊ard and Zakarias (nicknamed MiniMac). While TinyOT has already been implemented, we present in this paper the first implementation of MiniMac, using the same platform as the existing TinyOT implementation. We also suggest several improvements of MiniMac, both on the protocol design and implementation level. In particular, we suggest a modification of MiniMac that achieves increased parallelism at no extra communication cost. This gives an asymptotic improvement of the original protocol as well as an 8fold speedup of our implementation. We compare the resulting protocol to TinyOT for the case of secure computation in parallel of a large number of AES encryptions and find that it performs better than results reported so far on TinyOT, on the same hardware. 1
Oblivious Polynomial Evaluation and Secure SetIntersection from Algebraic PRFs
"... In this paper we study the two fundamental functionalities oblivious polynomial evaluation in the exponent and setintersection, and introduce a new technique for designing efficient secure protocols for these problems (and others). Our starting point is the [BGV11] technique (CRYPTO 2011) for verif ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper we study the two fundamental functionalities oblivious polynomial evaluation in the exponent and setintersection, and introduce a new technique for designing efficient secure protocols for these problems (and others). Our starting point is the [BGV11] technique (CRYPTO 2011) for verifiable delegation of polynomial evaluations, using algebraic PRFs. We use this tool, that is useful to achieve verifiability in the outsourced setting, in order to achieve privacy in the standard twoparty setting. Our results imply new simple and efficient oblivious polynomial evaluation (OPE) protocols. We further show that our OPE protocols are readily used for secure setintersection, implying much simpler protocols in the plain model. As a side result, we demonstrate the usefulness of algebraic PRFs for various search functionalities, such as keyword search and oblivious transfer with adaptive queries. Our protocols are secure under full simulationbased definitions in the presence of malicious adversaries.
Smart meter aggregation via secretsharing
 in Proceedings of the First ACM Workshop on Smart Energy Grid Security, ser. SEGS ’13
"... We design and prototype protocols for processing smartmeter readings while preserving user privacy. We provide support for computing nonlinear functions on encrypted readings, implemented by adapting to our setting efficient secretsharingbased secure multiparty computation techniques. Meter re ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We design and prototype protocols for processing smartmeter readings while preserving user privacy. We provide support for computing nonlinear functions on encrypted readings, implemented by adapting to our setting efficient secretsharingbased secure multiparty computation techniques. Meter readings are jointly processed by a (public) storage service and a few independent authorities, each owning an additive share of the readings. For nonlinear processing, these parties consume preshared materials, produced by an offline trusted third party. This party never processes private readings; it may be implemented using trusted hardware or somewhat homomorphic encryption. The protocol involves minimal, offline support from the meters—a few keyed hash computations and no communication overhead.
Efficient, Oblivious Data Structures for MPC
"... Abstract. We present oblivious implementations of several data structures for secure multiparty computation (MPC) such as arrays, dictionaries, and priority queues. The resulting oblivious data structures have only polylogarithmic overhead compared with their classical counterparts. To achieve this ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We present oblivious implementations of several data structures for secure multiparty computation (MPC) such as arrays, dictionaries, and priority queues. The resulting oblivious data structures have only polylogarithmic overhead compared with their classical counterparts. To achieve this, we give secure multiparty protocols for the ORAM of Shi et al. (Asiacrypt ‘11) and the Path ORAM scheme of Stefanov et al. (CCS ‘13), and we compare the resulting implementations. We subsequently use our oblivious priority queue for secure computation of Dijkstra’s shortest path algorithm on general graphs, where the graph structure is secret. To the best of our knowledge, this is the first implementation of a nontrivial graph algorithm in multiparty computation with polylogarithmic overhead. We implemented and benchmarked all of our protocols using the SPDZ protocol of Damg̊ard et al. (Crypto ‘12), which works in the preprocessing model and ensures active security against an adversary corrupting all but one players. For two parties, the online access time for an oblivious array of size 1 million is under 250 ms.
Bootstrapping BGV Ciphertexts With A Wider Choice of p and q
"... Abstract. We describe a method to bootstrap a packed BGV ciphertext which does not depend (as much) on any special properties of the plaintext and ciphertext moduli. Prior “efficient ” methods such as that of Gentry et al (PKC 2012) required a ciphertext modulus q which was close to a power of the p ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a method to bootstrap a packed BGV ciphertext which does not depend (as much) on any special properties of the plaintext and ciphertext moduli. Prior “efficient ” methods such as that of Gentry et al (PKC 2012) required a ciphertext modulus q which was close to a power of the plaintext modulus p. This enables our method to be applied in a larger number of situations. Also unlike previous methods our depth grows only as log log q as opposed to the log q of previous methods. The basic bootstrapping technique makes use of a representation of the group Z + q over the finite field Fp (either based on polynomials or elliptic curves). This technique is then extended to the full BGV packed ciphertext space, using a method whose depth depends only logarithmically on the number of packed elements. This method may be of interest as an alternative to the method of AlperinSheriff and Peikert (CRYPTO 2013). To aid efficiency we utilize the ring/field switching technique of Gentry et al (SCN 2012, JCS 2013). 1