Results 1  10
of
30
Complete fairness in secure twoparty computation
 In Proceedings of the 40th Annual ACM Symposium on Theory of Computing
, 2008
"... In the setting of secure twoparty computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness, which guarantees that if ei ..."
Abstract

Cited by 33 (11 self)
 Add to MetaCart
(Show Context)
In the setting of secure twoparty computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness, which guarantees that if either party receives its output, then the other party does too. Cleve (STOC 1986) showed that complete fairness cannot be achieved in general in the twoparty setting; specifically, he showed (essentially) that it is impossible to compute Boolean XOR with complete fairness. Since his work, the accepted folklore has been that nothing nontrivial can be computed with complete fairness, and the question of complete fairness in secure twoparty computation has been treated as closed since the late ’80s. In this paper, we demonstrate that this widely held folklore belief is false by showing completelyfair secure protocols for various nontrivial twoparty functions including Boolean AND/OR as well as Yao’s “millionaires ’ problem”. Surprisingly, we show that it is even possible to construct completelyfair protocols for certain functions containing an “embedded XOR”, although in this case we also prove a lower bound showing that a superlogarithmic number of rounds are necessary. Our results demonstrate that the question of completelyfair secure computation without an honest majority is far from closed.
Partial Fairness in Secure TwoParty Computation
, 2008
"... A seminal result of Cleve (STOC ’86) is that, in general, complete fairness is impossible to achieve in twoparty computation. In light of this, various techniques for obtaining partial fairness have been suggested in the literature. We propose a definition of partial fairness within the standard re ..."
Abstract

Cited by 23 (5 self)
 Add to MetaCart
A seminal result of Cleve (STOC ’86) is that, in general, complete fairness is impossible to achieve in twoparty computation. In light of this, various techniques for obtaining partial fairness have been suggested in the literature. We propose a definition of partial fairness within the standard real/idealworld paradigm that addresses deficiencies of prior definitions. also show broad feasibility results with respect to our definition: partial fairness is possible for any (randomized) functionality f: X × Y → Z 1 × Z 2 at least one of whose domains or ranges is polynomial in size. Our protocols are always private, and when one of the domains has polynomial size our protocols also simultaneously achieve the usual notion of security with abort. In contrast to some prior work, we rely on standard assumptions only. We also show that, as far as general feasibility is concerned, our results are optimal. Specifically, there exist functions with superpolynomial domains and ranges for which it is impossible to achieve our definition.
On achieving the “best of both worlds” in secure multiparty computation
 In Proceedings of the 39th Annual ACM Symposium on Theory of computing
, 2007
"... Two settings are typically considered for secure multiparty computation, depending on whether or not a majority of the parties are assumed to be honest. Protocols designed under this assumption provide “full security ” (and, in particular, guarantee output delivery and fairness) when this assumption ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
Two settings are typically considered for secure multiparty computation, depending on whether or not a majority of the parties are assumed to be honest. Protocols designed under this assumption provide “full security ” (and, in particular, guarantee output delivery and fairness) when this assumption is correct; however, if half or more of the parties are dishonest then security is completely compromised. On the other hand, protocols tolerating arbitrarilymany faults do not provide fairness or guaranteed output delivery even if only a single party is dishonest. It is natural to wonder whether it is possible to achieve the “best of both worlds”: namely, a single protocol that simultaneously achieves the best possible security in both the above settings. Ishai, et al. (Crypto 2006) recently addressed this question, and ruled out constantround protocols of this type. As our main result, we completely settle the question by ruling out protocols using any (expected) polynomial number of rounds. Given this stark negative result, we then ask what can be achieved if we are willing to assume simultaneous message transmission (or, equivalently, a nonrushing adversary). In this setting, we show that impossibility still holds for logarithmicround protocols. We also show, for any polynomial p, a protocol (whose round complexity depends on p) that can be simulated to within closeness O(1/p).
Salus: A System for ServerAided Secure Function Evaluation
"... Secure function evaluation (SFE) allows a set of mutually distrustful parties to evaluate a function of their joint inputs without revealing their inputs to each other. SFE has been the focus of active research and recent work suggests that it can be made practical. Unfortunately, current protocols ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Secure function evaluation (SFE) allows a set of mutually distrustful parties to evaluate a function of their joint inputs without revealing their inputs to each other. SFE has been the focus of active research and recent work suggests that it can be made practical. Unfortunately, current protocols and implementations have inherent limitations that are hard to overcome using standard and practical techniques. Among them are: (1) requiring participants to do work linear in the size of the circuit representation of the function; (2) requiring all parties to do the same amount of work; and (3) not being able to provide complete fairness. A promising approach for overcoming these limitations is to augment the SFE setting with a small set of untrusted servers that have no input to the computation and that receive no output, but that make their computational resources available to the parties. In this model, referred to as serveraided SFE, the goal is to tradeoff the parties ’ work at the expense of the servers. Motivated by the emergence of public cloud services such as Amazon EC2 and Microsoft Azure, recent work has explored the extent to which serveraided SFE can be achieved with a single server. In this work, we revisit the severaided setting from a practical perspective and design singleserveraided SFE protocols that are considerably more efficient than all previouslyknown protocols. We achieve this in part by introducing several new techniques for garbledcircuitbased protocols, including a new and efficient inputchecking mechanism for cutandchoose and a new pipelining technique that works in the presence of malicious adversaries. Furthermore, we extend the serveraided model to guarantee fairness which is an important property to achieve in practice. Finally, we implement and evaluate our constructions experimentally and show that our protocols (regardless of the number of parties involved) yield implementations that are 4 and 6 times faster than the most optimized twoparty SFE implementation when the server is assumed to be malicious and covert, respectively.
LegallyEnforceable Fairness in Secure TwoParty Computation ∗
"... In the setting of secure multiparty computation, a set of mutually distrustful parties wish to securely compute some joint function of their private inputs. The computation should be carried out in a secure way, meaning that the properties privacy, correctness, independence of inputs, fairness and g ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
In the setting of secure multiparty computation, a set of mutually distrustful parties wish to securely compute some joint function of their private inputs. The computation should be carried out in a secure way, meaning that the properties privacy, correctness, independence of inputs, fairness and guaranteed output delivery should all be preserved. Unfortunately, in the case of no honest majority – and specifically in the important twoparty case – it is impossible to achieve fairness and guaranteed output delivery. In this paper, we show how a legal infrastructure that respects digital signatures can be used to enforce fairness in twoparty computation. Our protocol has the property that if one party obtains output while the other does not (meaning that fairness is breached), then the party not obtaining output has a digitally signed cheque from the other party. Thus, fairness can be “enforced ” in the sense that any breach results in a loss of money by the adversarial party. 1
Complete fairness in multiparty computation without an honest majority
 In 6th Theory of Cryptography Conference — TCC 2009, volume 5444 of LNCS
"... A wellknown result of Cleve shows that complete fairness is impossible, in general, without an honest majority. Somewhat surprisingly, Gordon et al. recently showed that certain (nontrivial) functions can be computed with complete fairness in the twoparty setting. Motivated by their result, we sho ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
A wellknown result of Cleve shows that complete fairness is impossible, in general, without an honest majority. Somewhat surprisingly, Gordon et al. recently showed that certain (nontrivial) functions can be computed with complete fairness in the twoparty setting. Motivated by their result, we show here the first completelyfair protocols (for nontrivial functions) in the multiparty setting. Specifically, we show that boolean OR can be computed fairly for any number of parties n, and that voting can be computed fairly for n = 3 (in each case, we tolerate an arbitrary number of corruptions). Our protocol for voting requires ω(log k) rounds, where k is the security parameter, and we prove this is optimal if complete fairness is desired. 1
On Combining Privacy with Guaranteed Output Delivery in Secure Multiparty Computation
 IN ADVANCED IN CRYPTOLOGY — CRYPTO 2006, VOLUME 4117 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2006
"... In the setting of multiparty computation, a set of parties wish to jointly compute a function of their inputs, while preserving security in the case that some subset of them are corrupted. The typical security properties considered are privacy, correctness, independence of inputs, guaranteed output ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
In the setting of multiparty computation, a set of parties wish to jointly compute a function of their inputs, while preserving security in the case that some subset of them are corrupted. The typical security properties considered are privacy, correctness, independence of inputs, guaranteed output delivery and fairness. Until now, all works in this area either considered the case that the corrupted subset of parties constitutes a strict minority, or the case that a half or more of the parties are corrupted. Secure protocols for the case of an honest majority achieve full security and thus output delivery and fairness are guaranteed. However, the security of these protocols is completely compromised if there is no honest majority. In contrast, protocols for the case of no honest majority do not guarantee output delivery, but do provide privacy, correctness and independence of inputs for any number of corrupted parties. Unfortunately, an adversary controlling only a single party can disrupt the computation of these protocols and prevent output delivery. In this paper, we study the possibility of obtaining general protocols for multiparty computation that simultaneously guarantee security (allowing abort) in the case that an arbitrary number of parties are corrupted and full security (including guaranteed output delivery) in the case that only a minority of the parties are corrupted. That is, we wish to obtain the best of both worlds in a single protocol, depending on the corruption case. We obtain both positive and negative results on this question, depending on the type of the functionality to be computed (standard or reactive) and the type of dishonest majority (semihonest or malicious).
Towards a game theoretic view of secure computation
 In 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques EUROCRYPT (2011
"... We demonstrate how Game Theoretic concepts and formalism can be used to capture cryptographic notions of security. In the restricted but indicative case of twoparty protocols in the face of malicious failstop faults, we first show how the traditional notions of secrecy and correctness of protocols ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
We demonstrate how Game Theoretic concepts and formalism can be used to capture cryptographic notions of security. In the restricted but indicative case of twoparty protocols in the face of malicious failstop faults, we first show how the traditional notions of secrecy and correctness of protocols can be captured as properties of Nash equilibria in games for rational players. Next, we concentrate on fairness. Here we demonstrate a Game Theoretic notion and two different cryptographic notions that turn out to all be equivalent. In addition, we provide a simulation based notion that implies the previous three. All four notions are weaker than existing cryptographic notions of fairness. In particular, we show that they can be met in some
Efficient secure computation with garbled circuits
 In ICISS
, 2011
"... Abstract. Secure twoparty computation enables applications in which participants compute the output of a function that depends on their private inputs, without revealing those inputs or relying on any trusted third party. In this paper, we show the potential of building privacypreserving applica ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Secure twoparty computation enables applications in which participants compute the output of a function that depends on their private inputs, without revealing those inputs or relying on any trusted third party. In this paper, we show the potential of building privacypreserving applications using garbled circuits, a generic technique that until recently was believed to be too inefficient to scale to realistic problems. We present a Javabased framework that uses pipelining and circuitlevel optimizations to build efficient and scalable privacypreserving applications. Although the standard garbled circuit protocol assumes a very week, honestbutcurious adversary, techniques are available for converting such protocols to resist stronger adversaries, including fully malicious adversaries. We summarize approaches to producing maliciousresistant secure computations that reduce the costs of transforming a protocol to be secure against stronger adversaries. In addition, we summarize results on ensuring fairness, the property that either both parties receive the result or neither party does. Several open problems remain, but as theory and pragmatism advance, secure computation is approaching the point where it offers practical solutions for a wide variety of important problems. 1
An Efficient Protocol for Fair Secure TwoParty Computation
"... Abstract. ⋆ In the 1980s, Yao presented a very efficient constantround secure twoparty computation protocol withstanding semihonest adversaries, which is based on socalled garbled circuits. Later, several protocols based on garbled circuits covering malicious adversaries have been proposed. Only ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. ⋆ In the 1980s, Yao presented a very efficient constantround secure twoparty computation protocol withstanding semihonest adversaries, which is based on socalled garbled circuits. Later, several protocols based on garbled circuits covering malicious adversaries have been proposed. Only a few papers, however, discuss the fundamental property of fairness for twoparty computation. So far the protocol by Pinkas (Eurocrypt 2003) is the only one which deals with fairness for Yao’s garbled circuit approach. In this paper, we improve upon Pinkas ’ protocol by presenting a more efficient variant, which includes several modifications including one that fixes a subtle security problem with the computation of the socalled majority circuit. We prove the security of our protocol according to the real/ideal simulation paradigm, as Lindell and Pinkas recently did for the malicious case (Eurocrypt 2007). 1