Results 1 
5 of
5
On the amortized complexity of zeroknowledge protocols
 of Lecture Notes in Computer Science
, 2009
"... Abstract. We present a protocol that allows to prove in zeroknowledge that committed values xi, yi, zi, i = 1,..., l satisfy xiyi = zi, where the values are taken from a finite field K, or are integers. The amortized communication complexity per instance proven is O(κ + l) for an error probability ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a protocol that allows to prove in zeroknowledge that committed values xi, yi, zi, i = 1,..., l satisfy xiyi = zi, where the values are taken from a finite field K, or are integers. The amortized communication complexity per instance proven is O(κ + l) for an error probability of 2 −l, where κ is the size of a commitment. When the committed values are from a field of small constant size, this improves complexity of previous solutions by a factor of l. When the values are integers, we improve on security: whereas previous solutions with similar efficiency require the strong RSA assumption, we only need the assumption required by the commitment scheme itself, namely factoring. We generalize this to a protocol that verifies l instances of an algebraic circuit D over K with v inputs, in the following sense: given committed values xi,j and zi, with i = 1,..., l and j = 1,..., v, the prover shows that D(xi,1,..., xi,v) = zi for i = 1,..., l. For circuits with small multiplicative depth, this approach is better than using our first protocol: in fact, the amortized cost may be asymptotically smaller than the number of multiplications in D. 1
Efficient Asynchronous Verifiable Secret Sharing and Multiparty Computation ∗
"... Secure MultiParty Computation (MPC) providing information theoretic security allows a set of n parties to securely compute an agreed function F over a finite field F, even if t parties are under the control of a computationally unbounded active adversary. Asynchronous MPC (AMPC) is an important var ..."
Abstract
 Add to MetaCart
(Show Context)
Secure MultiParty Computation (MPC) providing information theoretic security allows a set of n parties to securely compute an agreed function F over a finite field F, even if t parties are under the control of a computationally unbounded active adversary. Asynchronous MPC (AMPC) is an important variant of MPC, which works over an asynchronous network. It is well known that perfect AMPC is possible if and only if n ≥ 4t + 1, while statistical AMPC is possible if and only if n ≥ 3t + 1. In this paper, we study the communication complexity of AMPC protocols (both statistical and perfect) designed with exactly n = 4t+ 1 parties. Our major contributions in this paper are as follows: 1. Asynchronous Verifiable Secret Sharing (AVSS) is one of the main building blocks for AMPC. In this paper, we design two AVSS protocols with 4t + 1 parties: the first one is statistically secure and has nonoptimal resilience, while the second one is perfectly secure and has optimal resilience. Both these schemes achieve a common interesting property, which was not achieved by the previous schemes. Specifically, our AVSS schemes allow to share a secret through a polynomial of degree at most d, where t ≤ d ≤ 2t. In contrast, the existing AVSS schemes can share a secret only through a polynomial of degree at most t. The new property of our AVSS simplifies the
Circuits Resilient to Additive Attacks with Applications to Secure Computation
, 2015
"... We study the question of protecting arithmetic circuits against additive attacks, which can add an arbitrary fixed value to each wire in the circuit. This extends the notion of algebraic manipulation detection (AMD) codes, which protect information against additive attacks, to that of AMD circuits w ..."
Abstract
 Add to MetaCart
(Show Context)
We study the question of protecting arithmetic circuits against additive attacks, which can add an arbitrary fixed value to each wire in the circuit. This extends the notion of algebraic manipulation detection (AMD) codes, which protect information against additive attacks, to that of AMD circuits which protect computation. We present a construction of such AMD circuits: any arithmetic circuit C over a finite field F can be converted into a functionallyequivalent randomized arithmetic circuit C ̂ of size O(C) that is faulttolerant in the following sense. For any additive attack on the wires of Ĉ, its effect on the output of C ̂ can be simulated, up to O(C/F) statistical distance, by an additive attack on just the input and output. Given a small tamperproof encoder/decoder for AMD codes, the input and output can be protected as well. We also give an alternative construction, applicable to small fields (for example, to protect Boolean circuits against wiretoggling attacks). It uses a small tamperproof decoder to ensure that, except with negligible failure probability, either the output is correct or tampering is detected. Our study of AMD circuits is motivated by simplifying and improving protocols for secure mul
On the Communication required for Unconditionally Secure Multiplication
"... Abstract. Many information theoretically secure protocols are known for general secure multiparty computation, both in the honest majority setting, and in the dishonest majority setting with preprocessing. All known protocols that are efficient in the circuit size of the evaluated function follow ..."
Abstract
 Add to MetaCart
Abstract. Many information theoretically secure protocols are known for general secure multiparty computation, both in the honest majority setting, and in the dishonest majority setting with preprocessing. All known protocols that are efficient in the circuit size of the evaluated function follow the same typical “gatebygate ” design pattern: we work our way through a boolean or arithmetic circuit, maintaining as an invariant that after we process a gate, the output of the gate is represented as a random secret sharing among the players. Finally, all shares for the outputs are revealed. This approach usually allows noninteractive processing of addition gates but requires communication for every multiplication gate. This means that while information theoretically secure protocols are very efficient in terms of computational work, they (seem to) require more communication and more rounds than computationally secure protocols. Whether this is inherent is an open and probably very hard problem. However, in this work we show that it is indeed inherent for protocols that follow the “gate by gate ” design pattern. In particular, we present the following results: – In the honest majority setting, any gatebygate protocol must communicate for every multiplication gate, even if only semihonest security is required. – For dishonest majority with preprocessing, a different proof technique is needed. We again show that any gatebygate protocol must communicate for every multiplication gate when the underlying secret sharing scheme is the additive one. We obtain similar results for arbitrary secret sharing schemes. – In the honest majority setting, we also show that amortising over several multiplication gates can at best save an O(n) factor on the computational work. All our lower bounds are met up to a constant factor by known protocols that follow the typical gatebygate paradigm. Our results imply that a fundamentally new approach must be found in order to improve the communication complexity of known protocols that are efficient in the circuit size of the function, such as GMW, SPDZ etc. 1
Universite ́ de Montréal Practical and Foundational Aspects of Secure Computation par
"... Faculte ́ des arts et des sciences Thèse présentée a ̀ la Faculte ́ des études supérieures en vue de l’obtention du grade de Philosophiæ Doctor (Ph.D.) ..."
Abstract
 Add to MetaCart
Faculte ́ des arts et des sciences Thèse présentée a ̀ la Faculte ́ des études supérieures en vue de l’obtention du grade de Philosophiæ Doctor (Ph.D.)