Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. In CRYPTO, volume 2139 of LNCS, pages 171--189. Springer, 2001.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....secure computation. Following the initial plausibility results [26, 17, 6, 9] much of the research in this area has shifted to various complexity aspects of secure computation. In particular, the problem of obtaining constant round secure protocols has attracted a considerable amount of attention [1, 5, 4, 13, 18, 24, 3, 7, 19, 10, 21]. Our work continues this line of research, and focuses on the following question: can perfectly secure computation be realized with a constant number of rounds in the worst case In the computational setting for secure computation, any function that can be (efficiently) computed can also be ....

.... focuses on the following question: can perfectly secure computation be realized with a constant number of rounds in the worst case In the computational setting for secure computation, any function that can be (efficiently) computed can also be securely computed in a constant number of rounds [26, 5, 21]. The situation is not as well understood in the information theoretic setting. Several (efficient) constant round protocols are known in this setting for function classes such as NC , polynomial size branching programs, and related linear algebra classes [1, 13, 18, 3, 19, 10] All these ....

[Article contains additional citation context not shown here]

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In Prof. of Crypto '01.

....protocols appears, quite miraculously, to never lose its steam. In this work we study the round complexity of secure multiparty computation. Following the initial plausibility results in this area [32, 21, 5, 10] considerable e orts have been spent on obtaining round ecient protocols [1, 4, 3, 13, 22, 31, 2, 8, 23, 17, 26, 11, 24]. In the multiparty setting, it was recently shown in [17] that every function can be securely computed in three rounds (tolerating a constant fraction of malicious players) and that for certain nontrivial tasks two rounds suce. This Most of this work was done while the author was at AT T ....

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In Crypto '01, pages 171-189, 2001. LNCS No. 2139.

....or (finite precision) reals; indeed, such computations can be naturally embedded into fields of a su#ciently large characteristic. However, in the constant round setting the state of a#airs is quite di#erent. All known protocols for e#ciently evaluating a circuit in a constant number of rounds [41, 5, 12, 34] are based on Yao s garbled circuit construction, which does not e#ciently scale to arithmetic circuits over large fields. The only constant round protocols in the literature which do e#ciently scale to arithmetic computation over large fields apply to the weaker computational models of ....

Y. Lindell. Parallel coin-tossing and constant-round secure two-party Computation. In Proc. of CRYPTO '01, LNCS 2139, pp. 171-189, 2001.

.... is leaked by the output of the function is revealed (a formal de nition is given in Section 2) Since the initial results showing that mpc was feasible [34, 24, 7, 12] a number of works have focused on improving the eciency of these protocols and in particular their round complexity (e.g. [1, 6, 29, 28, 22, 30, 15]) Known results for generic mpc secure against malicious adversaries in the computational setting may be summarized as follows (results are stated for the setting when a broadcast channel is available; we discuss the setting without a broadcast channel in Section 2.1) Secure two party ....

....setting may be summarized as follows (results are stated for the setting when a broadcast channel is available; we discuss the setting without a broadcast channel in Section 2. 1) Secure two party computation may be achieved in a constant number of rounds by applying the compiler of Lindell [30] (based on earlier work of Goldreich, Micali, and Wigderson [24] to the constant round protocol of Yao [34] which is secure against semi honest adversaries) Supported in part by U.S. Army Research Oce Grant DAAD19 00 1 0177 Secure mpc for honest majorities (i.e. when the number of ....

[Article contains additional citation context not shown here]

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. In Advances in Cryptology | CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 171-189. IACR, Springer, 2001.

....to make it possible to combat identity fraud, and in such a case, ID should never become known to anyone other than the user. We further discuss the notion of identity in the electronic setting in Section 1.2.2. Here, general techniques of secure two party computation [Yao86, GMW87a, Gol98, Lin01] save the day: the user and the organization can use a secure two party protocol such that the user s output is a signature on his identity, while the organization learns nothing. But this is also very expensive: general secure two party computation also represents the function to be computed as ....

Yehuda Lindell. Parallel coin-tossing and constant-round secure twoparty computation. In Joe Kilian, editor, Advances in Cryptology | CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 171-189. Springer Verlag, 2001. 130

....In Section 4 we sketch how to handle adversaries that use a non synchronizing scheduling. Rough outline of proof structure. The general form of our non malleable coin tossing protocol is similar to previous (malleable) coin tossing protocols. In fact, it is quite similar to the protocol of [Lin01] except for the following modi cation. The modi cation is that while the protocol of [Lin01] involves a zero knowledge proof that some condition X occurs, in our protocol we prove that either X or Y occurs, where Y is some bogus condition that almost always will not be satis ed in a real ....

....Rough outline of proof structure. The general form of our non malleable coin tossing protocol is similar to previous (malleable) coin tossing protocols. In fact, it is quite similar to the protocol of [Lin01] except for the following modi cation. The modi cation is that while the protocol of [Lin01] involves a zero knowledge proof that some condition X occurs, in our protocol we prove that either X or Y occurs, where Y is some bogus condition that almost always will not be satis ed in a real execution. This is a technique that originated in the work of Feige, Lapidot and Shamir [FLS99] ....

[Article contains additional citation context not shown here]

Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. In CRYPTO ' 2001, pages 171-189, 2001.

No context found.

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In CRYPTO'01, Springer-Verlag (LNCS 2139), pages 171--189, 2001.

....except for the ideal zero knowledge calls, # forwards all of the # # messages unmodified between . controlling P 1 , proves a zero knowledge proof of knowledge for some statement v, # runs the extraction strategy for POK. Actually, what is needed is witness extended emulation; see [32, 4] for details. This involves simulating Protocol BZK for as the verifier (because the subproof of part 1 that is simulated is given by P 2 to P 1 ) and honestly verifying Protocol is the prover (because the subproof of part 2 is given by P 1 ) In addition, the receiver messages of the ....

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. To appear in the Journal of Cryptology, 2003.

....time for interactive machines. Furthermore, there exist zero knowledge protocols for which there is no known expected polynomial time simulator that works when the veri er may run in expected polynomial time (in particular, the proof of [17] has this property; see the full version of [22] for an analysis) In fact, since [17] is the only known constant round (statistically sound) proof of knowledge, there are no known zero knowledge proofs that can be simulated for expected polynomial time veri ers. Technical considerations: Expected polynomial time is less understood than ....

....Expected polynomial time is less understood than the more standard strict polynomial time. This means that rigorous proofs of security of protocols that use zero knowledge arguments with expected polynomial time simulators as components, are typically more complicated (see the full version of [22] for an example) Another technical problem that arises is that expected polynomial time simulation is not closed under composition. Consider, for example, a protocol that uses zero knowledge as a subprotocol. Furthermore, assume that the security of the larger protocol is proved in two stages. ....

[Article contains additional citation context not shown here]

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. Cryptology CRYPTO '01, pages 171-189, 2001.

....with the honest prover, in order to gain some information. zero knowledge protocols for which there is no known expected polynomial time simulator that works when the verifier may run in expected polynomial time (in particular, the proof of [16] has this property; see the full version of [21] for an analysis) In fact, since [16] is the only known constant round (statistically sound) proof of knowledge, there are no known zero knowledge proofs that can be simulated for expected polynomial time verifiers. ffl Technical considerations: Expected polynomial time is less understood ....

....Expected polynomial time is less understood than the more standard strict polynomial time. This means that rigorous proofs of security of protocols that use zero knowledge arguments with expected polynomial time simulators as components, are typically more complicated (see the full version of [21] for an example) Another technical problem that arises is that expected polynomial time simulation is not closed under composition. Consider, for example, a protocol that uses zero knowledge as a subprotocol. Furthermore, assume that the security of the larger protocol is proved in two stages. ....

[Article contains additional citation context not shown here]

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. Cryptology CRYPTO '01, pages 171--189, 2001.

....zero knowledge argument. The zero knowledge proof used must be resettably sound in order to protect the prover, who may be reset, against a cheating veri er. This technique of achieving simulation by proving the validity of the revealed value rather than actually decommitting was introduced in [27]. Since the veri er is bound to its initial commitment by the above argument, the fact that the protocol is hWI is shown in a similar manner to the proof (shown in [7] that the protocol of [21] is hWI. Thus, using the transformation of Construction 4.3 we obtain a rWI protocol. Indeed, the ....

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In Crypto 2001.

....zero knowledge argument. The zero knowledge proof used must be resettably sound in order to protect the prover, who may be reset, against a cheating verifier. This technique of achieving simulation by proving the validity of the revealed value rather than actually decommitting was introduced in [27]. Since the verifier is bound to its initial commitment by the above argument, the fact that the protocol is hWI is shown in a similar manner to the proof (shown in [7] that the protocol of [21] is hWI. Thus, using the transformation of Construction 4.3 we obtain a rWI protocol. Indeed, the ....

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In Crypto 2001.

No context found.

Yehuda Lindell. Parallel coin-tossing and constant-round secure two-party computation. In CRYPTO, volume 2139 of LNCS, pages 171--189. Springer, 2001.

No context found.

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. J. Cryptology 16(3): 143-184 (2003.

No context found.

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. Journal of Cryptology, 16(3):143--184, 2003.

No context found.

Yehuda Lindell. Parallel coin-tossing and constant round secure two-party computation. In proceedings of CRYPTO '01, LNCS series, volume 2139, pages 408-432, 2001.

No context found.

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In Crypto01, Springer Lecture Notes in Computer Science (Vol. 2139), pages 171-189, 2001.

No context found.

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. In Advances in Cryptology | CRYPTO 2001.

No context found.

Yehuda Lindell. Parallel coin-tossing and constant round secure two-party computation. In proceedings of CRYPTO '01, LNCS series, volume 2139, pages 408-432, 2001.

No context found.

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. In J. Kilian (Ed.): Advances in Cryptology-Proceedings of CRYPTO 2001.

No context found.

Y. Lindell. Parallel coin-tossing and constant-round secure two-party Computation. In Proc. of CRYPTO '01, LNCS 2139, pp. 171-189, 2001.

No context found.

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. In Advances in Cryptology --- CRYPTO 2001 [32], pages 171--189.

No context found.

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. Adv. in Cryptology --- Crypto 2001, LNCS vol. 2139, Springer-Verlag, pp. 171--189, 2001.

No context found.

Y. Lindell. Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation. Adv. in Cryptology --- Crypto 2001, LNCS vol. 2139, Springer-Verlag, pp. 171--189, 2001.

No context found.

Y. Lindell. Parallel coin-tossing and constant-round secure two-party computation. In Advances in Cryptology --- CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 171--189. IACR, Springer, 2001.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC