Citation Context

...om a domain of size N. A circuit computing this function has O(log N) gates, and therefore can be securely evaluated with this overhead. Specialized protocols for this function were also suggested in =-=[9, 18, 17]-=-, and they essentially have the same overhead. A solution in [3] provides fairness in addition to security. A circuit-based solution for computing PM of datasets of length k requires O(k 2 log N) comm...

Citation Context

...1) exponentiations but still operate only on bits, while Camenisch and Cachin [CC00] give a stringCOT protocol, but it requires O(k) modular exponentiations where k is the security parameter. Lipmaa =-=[Lip03]-=- proposed to extend the (non-committed) string-OT protocol of Aiello et al. [AIR01] to a committed OT protocol on strings at the cost of O(1) exponentiations. While this protocol does ensure that the ...

Citation Context

... the unchosen strings s1−bii whereas S learns nothing about the choices bi. Efficient OT protocols. We use OTm` as a black-box primitive which can be instantiated efficiently with different protocols =-=[38,2,36,26]-=-. For example the protocol of [2] implemented over a suitably chosen elliptic curve has communication complexity m(6(2t+ 1)) + (2t+ 1) ∼ 12mt bits and is secure against malicious C and semi-honest S i...

Citation Context

...me cell in any grid. The round dots represent maximally separated users are in the same cell in one of the grids (the bold one). The private equality testing problem was studied in a number of papers =-=[13, 34, 7, 28]-=-. Here we describe two concrete protocols that are especially well suited for our purposes. They solve the following problem: Input: Alice has value a representing her location. Bob has value b repres...

Citation Context

... learns s bi i , but nothing about s 1−bi i whereas S learns nothing about bi. We use OT m ℓ as a black-box primitive in our constructions. It can be instantiated efficiently with different protocols =-=[24,2,21,13]-=-. Extensions of [13] can be used to reduce the number of computationally expensive public-key operations to be independent of m. We omit the parameters m or ℓ if they are clear from the context. Garbl...

Citation Context

...ralized circuit evaluation gives a protocol for privately computing equality with O(lg |P |) overhead, where P is the domain from which elements are chosen. Protocols for this problem are proposed in =-=[9, 25, 21]-=-, and are approximately as expensive. Fairness is added in [3]. Determining whether input sets (subsets of [|P |]) are disjoint (without privacy) has communication overhead of Θ(|P |) [18, 28]. This i...

Citation Context

...lacing, e.g., the use of Ω-protocols by Σ-protocols). If the parties are committed to the inputs of the OT protocol but there is no commitment to chooser’s output we refer to this variant as Verifiable OT (VOT) in this paper. In this direction, Cachin and Camenisch [CC00] as well as Jarecki and Shmatikov [JS07] present protocols for VOT in 2 rounds. These protocols can be converted into COT by requesting the chooser to recommit to its received value and to prove the validity of this commitment w.r.t. the commitments for the inputs. In general, this incurs one extra communication round. Lipmaa [Lip03] also presents a protocol under the name verifiable homomorphic oblivious transfer for strings. However, verifiability is defined in a different sense. The chooser will get commitments to all inputs of the sender which can later be used and referred to by the surrounding protocol. Similarly, the sender gets an encryption of the chooser’s input. Hence, this is yet another form of OT, 132 M.S. Kiraz, B. Schoenmakers, and J. Villegas which is related to COT and VOT, and is somewhat similar to the notion of “committing OT”, introduced later in [KS06]. Recently, Camenisch et al. [CNs07] presented a...